[wp-hackers] Serious security hole
elharo at metalab.unc.edu
Thu Apr 20 11:20:19 GMT 2006
David House wrote:
> Everyone that has participated in this debate:
> This is a call for clarity. Amongst the plethora of arguments,
> counters, counter-counters, metaphors, buzzwords and changes of
> opinion I have little idea what is going on. I've tried to keep up
> with the thread, but I, and I guess others, don't really have a grasp
> of what the options are.
> Thus I would like to be presented with:
> 1) The problems present in the current system.
I'll answer #1 because a lot of people don't seem to realize just how
bad this is, and don't believe as much is possible as really is. I have
now verified Brian Layman's proof of concept by creating a post on my
site and using his link to delete it. Here's what is true:
1. I am talking abut the current default install of WordPress 2.0.2, not
what might happen if we redesign WordPress in the future. The hole is
2. If a logged in WordPress administrator clicks on a link that
carefully redirects to the delete post URL, they can unintentionally
delete any post on their blog. I've only verified this by clicking a
link, but I suspect it's possible to expand this to use images that are
automatically loaded without an explicit click as well.
3. At no point are they asked to confirm the delete.
4. At no point are they told they've deleted the post.
5. If the administrator is savvy enough about HTTP and WordPress to be
participating in discussions here, and *if* they're paying very close
attention, they may notice that the link goes back to their
administration page and wonder why. But most non-technical users won't
bother to consider this, and just write it off as a temporary glitch or
think they clicked the wrong link accidentally.
This is not the most serious bug imaginable. However it's pretty bad.
Think what use an attacker might put this to to silence a political site
that posts an article they don't like. Think how a book author might use
it to remove a negative review. Think how the RIAA or MPAA might use it
to delete a page full of Torrents or DeCSS source code.
This needs to be fixed and it needs to be fixed fast.
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
More information about the wp-hackers