[wp-hackers] Rethinking check_admin_referer()

Sam Angove sam at rephrase.net
Wed Apr 19 04:46:43 GMT 2006


On 4/19/06, Matt Mullenweg <m at mullenweg.com> wrote:
>
> I still think the best answer to the original problem is a plugin which
> just turns check_admin_referer off.

The best answer is for them to remove their anti-CSRF security
completely? The solution is to get a better lock, not leave the door
open.

> People who know JS far better than I have told me in the past it is
> possible to do cross-domain GETs so nonces are snake-oil, however my
> best Googling can not find anything. (Perhaps for the best!)

I think the reason you can't find anything is because there's nothing
to find. A working exploit would be big news. Here's a relevant
Crypto-Gram article[1]. ;)

[1]: http://www.schneier.com/crypto-gram-0307.html#8

If you're genuinely worried, the referer check could be kept as well.
They're not mutually exclusive.

> If the best an attacker can do is embed a link in a comment or email and
> hope you click on it, then we've succeeded. At some point we have to
> stop punishing normal users for the extreme edge cases.

How are users being punished? The worst case for them should be the
occasional "are you sure you want to do this?" confirmation page,
which is *better* than the current "wrong referrer" die().


More information about the wp-hackers mailing list