[wp-hackers] Security at Wordpress

[David House]

On 24/04/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> Using POST does not obviate nonces or referer checks.

Lets just re-iterate that, folks.

> Using POST does not obviate nonces or referer checks.

One more time with feeling.

> Using POST does not obviate nonces or referer checks.

A little aside for anyone who doesn't understand the attack vector:
You log into your blog one day to do a little tidying up. You start to
notice how great an author you are and what a huge shame it would be
if someone deleted one of your posts. You then browse to another site.
Because you are Average Joe User, you don't hit the "Log Out" button
on your way out, because it's inconvenient (you'd have to type your
password the next time you arrived if you did that).

You're browsing your way through the World Wide Web, and you come across this:

http://asymptomatic.net/temp/hack.htm

(Perhaps worded a little subtler in real life. Dressed up as a comment
to a post on a another blog, a post that had trackbacked one of your
masterpieces, perhaps?). You click it, and OOPS! It's too late. There
goes one of your posts.

Therefore, we either need nonces or a referer check. Referer checks
are a pain to those firewalled, and are easy to miss, so I'd vote for
nonces.

And thus, anyone that says switching to POST is a magic bullet needs
to rethink their views. Switching is _not_ a less complex solution, as
it would have to be introduced on top of nonces anyway.

However, I am a standards-are-good kind of guy and I would like to see
a solution where we use POST wherever possible, with GET only as a
fallback. Andrew K showed us that the UI hit is somewhat negligible
(although a proper cross-browser solution is a prerequisite), so you
have my +1 here. Basically, I don't see any advantage or disadvantage
of either POST or GET.

--
-David House, dmhouse at gmail.com, http://xmouse.ithium.net