[wp-hackers] Rethinking check_admin_referer()

Brian Layman Brian at TheCodeCave.com
Wed Apr 19 04:59:06 GMT 2006

>With KSES, this should be a non-issue.
In any case, no-one is ever gonna be able to make anything completely
secure. There will always be ways to get past security, the objective
should be to secure as many holes as is reasonably possible.

I'll sit back and let you all go at the meat of this for a while,
because a combination of logged in user, timed nonce, falling back on a
referer checks and finally falling back to a y/n verification IS the way
to go, IMHO.  But first I wanted to give you the results of my tests
tonight.  With a WP 2.02 blog, I was able to delete posts without any
indication to the administrator that it had happened. Using the same
method, I was able to delete all tracks I'd left behind.  

I can provide a link, privately, to the wp developers if you want to see
it.  You may already more ways than this to delete posts and so don't
need to see it.  That's fine too.  But, if you need a working example to
play with, I can provide you with a link.  I don't want to post it to
the list as it is fully functional - as is - and could be used to delete
posts from any WP blog.

The good news is that I was not able to do this through any image tags.
The main problem there was that the referer within the WYSIWYG editor
isn't wp-admin.  It's "wp-includes/.../tinymce/...".  The preview, as
mentioned before, has its own context as well.  I believe I could have
gotten the image portion to work from the Manage Comments view comment
page but I can't create a regex string worth a dime and that part of it
was beyond me.  However I suspect it is still possible.  A timed nonce
would make that much more difficult proposition.

I'll send the details to Matt in anycase, just so someone has it.



More information about the wp-hackers mailing list