[wp-hackers] Rethinking check_admin_referer()
ryan at concept64.com
Thu Apr 20 15:53:01 GMT 2006
c) Augment the referer check with nonces - Similar to option b,
nonces would be added to forms and links when possible. To verify a
page request, first the nonce would be checked. If it fails, then
the referer would be checked as currently done. If the referer
check fails, then an "Are You Sure?" confirmation would appear. If
any of the checks pass, then no confirmation is displayed and the
action continues as normal.
I like Owen's c) approach but the only problem is that the security hole
still exists: if the nonce check fails, and check_admin_referrer
succeeds, the action is still a go. It's only after the
check_admin_referrer fails that AYS is displayed? Or do we recode only
the vulnerable commands to REQUIRE the nonce check succeed, and others
we let slide?
Otherwise, I would support Owen's b) with b-2) method and the re-coding
of all core admin pages instead. Avoiding the overhead of DB writes for
nonces (and all the code that goes with it) seems to be a better choice
than trying to curb the remote chance that an attacker might be able to
mimic the nonce-generation code (assuming it uses user, action, time,
and other variables).
The only issue is the backwards compatibility of plugins...
Maybe it's possible to just ignore the required nonces if the request
came from a plugin page and didn't contain the nonce? This would ensure
the nonce checks for all the vulnerable core admin pages, but not break
plugins without it. As far as security goes, the security issue is only
present on admin pages that display user input (comments, drafts, etc),
so the majority of plugins wouldn't contain such a security hole on
their admin plugin pages.
More information about the wp-hackers