[wp-hackers] Rethinking check_admin_referer()

[Robert Deaton]

On 4/21/06, Sam Angove <sam at rephrase.net> wrote:
>
> Any registered user can get their own nonce with that notorious hacker
> trick, "view source". Dastardly!

Like I said before, people with access to your blog should be "trusted
users" as someone said earlier. If you can't trust the users on your
blog, you have bigger issues at hand.

> re: the various challenges offered, it's been pointed out time and
> again that people on this list aren't representative users. I don't
> have a dictionary word as a password; my mum does. That puts the
> keyspace down from > 2500000000000 to less than 100000. That's an
> afternoon, not a lifetime. Someone that actually cared could use
> rainbow tables and do any  8-char alphanumeric password in < 20
> minutes, but that person is not me.

You get funnier and funnier, a rainbow table, that happens to be
prepended with a five digit integer and augmented with a 1-2 digit
integer, now this I'd like to see.

> Seriously though, I don't care about this "attack", I'm not being
> paranoid, and I don't think this is something anyone's ever actually
> going to do.

This would be self-admission of trolling, imho.

>  I'm just pointing out that it's theoretically possible,
> and it's silly to leave it when it can be trivially avoided by adding
> extra salt or doing something like what the DB backup plugin does:

This is also something that has to be propogated on every WP admin
action, and so anything that adversely affects performance is a -1, we
get enough complaints of how bad WP damages servers and buckles under
load as it is. We're playing in a world where 17ms makes a human
perceptible difference in the loading time. Any extra salt is going to
come with the same exact criticism as having DB_PASS as salt.

--
--Robert Deaton
http://somethingunpredictable.com