[wp-hackers] Serious security hole

Elliotte Harold elharo at metalab.unc.edu
Thu Apr 20 11:35:22 GMT 2006


Elliotte Harold wrote:

> 2. If a logged in WordPress administrator clicks on a link that 
> carefully redirects to the delete post URL, they can unintentionally 
> delete any post on their blog. I've only verified this by clicking a 
> link, but I suspect it's possible to expand this to use images that are 
> automatically loaded without an explicit click as well.

And now that I reread one of Brian's posts, I realize it's not quite as 
bad as I thought (though still pretty bad). The whole attack only works 
from the wp-admin page. That is the disguised delete link must be 
embedded in the wp-admin page. That means it has to come in through a 
comment or a draft or some such. It can't be a link in an e-mail or a 
3rd party site.

Temporary workaround: don't click any third party links on the wp-admin 
page. Wait till you're back in the main site before following in 
interesting links.

Long-term fix: make delete work via POST, not GET. Then no 3rd party 
could embed the necessary form into the wp-admin page. Furthermore, even 
if they could, the user would be notified before the redirection took 
place.

I could be wrong about this next bit, but I don't think that tightening 
up the referer checks would help. The problem is that the referer in 
this case is http://cafe.elharo.com/wp-admin/ as it should be. (What 
happens to Referer headers in redirect situations? Is there any 
indication the server that the request has been redirected? i.e. is 
there any HTTP header we could look at to see if someone's sitting in 
between Wordpress and the client? I need to go read the HTTP spec and 
find out.)


-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim


More information about the wp-hackers mailing list