[wp-hackers] Security at Wordpress
Ryan Scheuermann
ryan at concept64.com
Mon Apr 24 16:13:58 GMT 2006
Owen Winkler wrote:
> Ryan Scheuermann wrote:
>> 3. no need for nonces if the delete action requires POST
>
> Using POST does not obviate nonces or referer checks. If someone were
> to create a form on a different site that POSTed the right info to the
> page that deletes your posts, and then tricked you into clicking it
> somehow, it would delete the posts. And we're talking about deleting
> more than one post now? Yikes. Yes, it would work with just the
> referer check, but then that form would only work in environments that
> support the referer. That is what the nonces are for, to replace
> referer checks with something more available.
>
> Using POST does not obviate nonces or referer checks.
>
You're right, I forgot about CSRF. So we keep nonces. But with this
solution, we could still use POST - even with nonces - which would
remove the "click bad comment link -> delete my blog" security hole.
BTW, what's the official name for this security issue?
>> 5. adds new functionality for mass delete of posts (even if not needed)
>
> Oops. I just accidentally deleted <s>that one post</s> *everything*.
> Oh, dear.
> Time to revisit this:
> http://www.asktog.com/columns/069ScottAdamsMeltdown.html
>
If the checkboxes were only used for delete and we didn't have a
"check/uncheck all" button, how would the user accidentally delete
everything? They would have to click through every checkbox "on
accident" and then "on accident" click the Delete Checked Posts form
submit button on the bottom of the page. I'd like to meet the user that
accidentally does this. :-)
>> 7. follows a widely accepted and user-friendly model for web
>> applications
>
> It also makes it very difficult to insert new per-row POST forms, if
> that's something we might ever consider in the future. As unlikely as
> that might be. Although, I do remember code around in one of these
> tables that let you add new columns in a clever way. Might have been
> the Manage Posts page.
>
> Owen
>
Making it difficult for a future "maybe" doesn't seem like a good reason
not to do it.
Don't get me wrong Owen, I'm not trying to throw more flames on this
fire, I'm just trying to present a solution that might be acceptable to
the masses without stepping on developers toes or result in (gasp!)
forking the project for no reason.
Ryan
More information about the wp-hackers
mailing list