[wp-hackers] Rethinking check_admin_referer()
ringmaster at midnightcircus.com
Sat Apr 22 00:41:53 GMT 2006
Paul Mitchell wrote:
> Robert Deaton wrote:
>> Still, all of this is irrelevant to the discussion, which has nothing
>> to do with cracking md5s or finding their collisions.
> Quite. My interest is rather more simple.
> Given that WordPress is multi-user, nonces will be available to anyone
> entrusted with access to so-protected admin functions by the blog owner,
> who is presumably also the sole knower of the database password.
Yes. And every nonce is unique to both the action intended and the user
who is using it, and expires after no more than 24 hours. Go ahead and
try to use the nonce you see when you're logged in to insert a link in
the admin on which someone else with admin access could click to cause
an unintended action. You can't.
If you had tried patching a test install and attempted this, you would
already know that.
> I probably don't appreciate the scale of effort required to extracting
> data from nonces, but was the blog database password subject to
> cryptographic attack, theoretical or otherwise, prior to the
> introduction of the nonce? It was the use of the database password for
> something other than connecting to the database that caught my eye in
> the first place.
To answer your question directly, no. Nor is it after the introduction
of the nonces.
Now more than one person has answered this question more than once. If
you still don't believe what these people have said, then I suggest you
read the several pages of reference they've provided along the way, and
then review the patch that was presented so that you can ask a directed
It should be fairly plain by looking at the code that you can't get the
database password from the nonce, and that the choice of md5 over some
other hash doesn't make this any more or less secure.
I don't mind criticism, but I'm not keen on people alluding to severe
security issues like revealing the database password without having
something other than raw speculation to back it up. Patch in this diff
and test it, and when you find the vulnerability you're worried about,
then we'll talk.
More information about the wp-hackers