[wp-hackers] Serious security hole

Elliotte Harold elharo at metalab.unc.edu
Thu Apr 20 11:20:19 GMT 2006

David House wrote:
> Everyone that has participated in this debate:
> This is a call for clarity. Amongst the plethora of arguments,
> counters, counter-counters, metaphors, buzzwords and changes of
> opinion I have little idea what is going on. I've tried to keep up
> with the thread, but I, and I guess others, don't really have a grasp
> of what the options are.
> Thus I would like to be presented with:
> 1) The problems present in the current system.

I'll answer #1 because a lot of people don't seem to realize just how 
bad this is, and don't believe as much is possible as really is. I have 
now verified Brian Layman's proof of concept by creating a post on my 
site and using his link to delete it. Here's what is true:

1. I am talking abut the current default install of WordPress 2.0.2, not 
what might happen if we redesign WordPress in the future. The hole is 
here *today*.

2. If a logged in WordPress administrator clicks on a link that 
carefully redirects to the delete post URL, they can unintentionally 
delete any post on their blog. I've only verified this by clicking a 
link, but I suspect it's possible to expand this to use images that are 
automatically loaded without an explicit click as well.

3. At no point are they asked to confirm the delete.

4. At no point are they told they've deleted the post.

5. If the administrator is savvy enough about HTTP and WordPress to be 
participating in discussions here, and *if* they're paying very close 
attention, they may notice that the link goes back to their 
administration page and wonder why.  But most non-technical users won't 
bother to consider this, and just write it off as a temporary glitch or 
think they clicked the wrong link accidentally.

This is not the most serious bug imaginable. However it's pretty bad. 
Think what use an attacker might put this to to silence a political site 
that posts an article they don't like. Think how a book author might use 
it to remove a negative review. Think how the RIAA or MPAA might use it 
to delete a page full of Torrents or DeCSS source code.

This needs to be fixed and it needs to be fixed fast.

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list