[wp-hackers] Rethinking check_admin_referer()

David Chait davebytes at comcast.net
Sat Apr 22 03:43:52 GMT 2006

Robert Deaton <false.hopes at gmail.com> wrote:
| On 4/21/06, Sam Angove <sam at rephrase.net> wrote:
| >
| > Any registered user can get their own nonce with that notorious hacker
| > trick, "view source". Dastardly!
| Like I said before, people with access to your blog should be "trusted
| users" as someone said earlier. If you can't trust the users on your
| blog, you have bigger issues at hand.

Actually, that's not a fair point.  With things like bbPress able to use the 
WP user table, ALL users become blog users (at some level).  So if anything 
exposed to even a profile-access-only user gives a Nonce, the three-of-four 
subparts have been achieved.

| >  I'm just pointing out that it's theoretically possible,
| > and it's silly to leave it when it can be trivially avoided by adding
| > extra salt or doing something like what the DB backup plugin does:
| This is also something that has to be propogated on every WP admin
| action, and so anything that adversely affects performance is a -1, we
| get enough complaints of how bad WP damages servers and buckles under
| load as it is. We're playing in a world where 17ms makes a human
| perceptible difference in the loading time. Any extra salt is going to
| come with the same exact criticism as having DB_PASS as salt.

Wow.  17ms on a >website loading< is human perceptible?  That's harsh. 
Especially given 150ms ping times... ;)

But really, skip the double-md5, just substr to remove some number of 
characters off the hash, should be amazingly fast compared to the original 
md5, and that should make it (nearly) impossible to reverse-crack. (right?) 
No human-perceptible time to a substr (I hope not!), and it makes the hash 
'incomplete' to a hacker.

Just imho.  Anything to stop the 'here, try to hack my site' emails! ;)


More information about the wp-hackers mailing list