[wp-hackers] Rethinking check_admin_referer()
davebytes at comcast.net
Sat Apr 22 03:43:52 GMT 2006
Robert Deaton <false.hopes at gmail.com> wrote:
| On 4/21/06, Sam Angove <sam at rephrase.net> wrote:
| > Any registered user can get their own nonce with that notorious hacker
| > trick, "view source". Dastardly!
| Like I said before, people with access to your blog should be "trusted
| users" as someone said earlier. If you can't trust the users on your
| blog, you have bigger issues at hand.
Actually, that's not a fair point. With things like bbPress able to use the
WP user table, ALL users become blog users (at some level). So if anything
exposed to even a profile-access-only user gives a Nonce, the three-of-four
subparts have been achieved.
| > I'm just pointing out that it's theoretically possible,
| > and it's silly to leave it when it can be trivially avoided by adding
| > extra salt or doing something like what the DB backup plugin does:
| This is also something that has to be propogated on every WP admin
| action, and so anything that adversely affects performance is a -1, we
| get enough complaints of how bad WP damages servers and buckles under
| load as it is. We're playing in a world where 17ms makes a human
| perceptible difference in the loading time. Any extra salt is going to
| come with the same exact criticism as having DB_PASS as salt.
Wow. 17ms on a >website loading< is human perceptible? That's harsh.
Especially given 150ms ping times... ;)
But really, skip the double-md5, just substr to remove some number of
characters off the hash, should be amazingly fast compared to the original
md5, and that should make it (nearly) impossible to reverse-crack. (right?)
No human-perceptible time to a substr (I hope not!), and it makes the hash
'incomplete' to a hacker.
Just imho. Anything to stop the 'here, try to hack my site' emails! ;)
More information about the wp-hackers