[wp-hackers] Rethinking check_admin_referer()

Ryan Scheuermann ryan at concept64.com
Thu Apr 20 15:53:01 GMT 2006

Owen wrote:

    c) Augment the referer check with nonces - Similar to option b,
    nonces would be added to forms and links when possible.  To verify a
    page request, first the nonce would be checked.  If it fails, then
    the referer would be checked as currently done.  If the referer
    check fails, then an "Are You Sure?" confirmation would appear.  If
    any of the checks pass, then no confirmation is displayed and the
    action continues as normal.

I like Owen's c) approach but the only problem is that the security hole 
still exists:  if the nonce check fails, and check_admin_referrer 
succeeds, the action is still a go.  It's only after the 
check_admin_referrer fails that AYS is displayed?  Or do we recode only 
the vulnerable commands to REQUIRE the nonce check succeed, and others 
we let slide?

Otherwise, I would support Owen's b) with b-2) method and the re-coding 
of all core admin pages instead.  Avoiding the overhead of DB writes for 
nonces (and all the code that goes with it) seems to be a better choice 
than trying to curb the remote chance that an attacker might be able to 
mimic the nonce-generation code (assuming it uses user, action, time, 
and other variables).

The only issue is the backwards compatibility of plugins...

Maybe it's possible to just ignore the required nonces if the request 
came from a plugin page and didn't contain the nonce?  This would ensure 
the nonce checks for all the vulnerable core admin pages, but not break 
plugins without it.  As far as security goes, the security issue is only 
present on admin pages that display user input (comments, drafts, etc), 
so the majority of plugins wouldn't contain such a security hole on 
their admin plugin pages.

More information about the wp-hackers mailing list