[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 21:02:27 GMT 2006 

Mike Little wrote:
> On 4/24/06, David House <dmhouse at gmail.com> wrote:
>   
>> On 24/04/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
>>     
>>> Using POST does not obviate nonces or referer checks.
>>>       
>> Lets just re-iterate that, folks.
>>
>>     
>>> Using POST does not obviate nonces or referer checks.
>>>       
>> One more time with feeling.
>>
>>     
>>> Using POST does not obviate nonces or referer checks.
>>>       
>> A little aside for anyone who doesn't understand the attack vector:
>>     
>
> The example exploit, that works NOW, *with* referrer check,
> demonstrated by Brian, *would not* work if delete was a POST.  That is
> why some people got so heated about POST vs GET. It is demonstrably
> safer, right now.
> Not completely safe*, true, but safe from the existing exploit!
>
> Allegedly, POST plus referrer check can still be circumvented, though
> I do not understand how. Yes, you can fool an admin into clicking on a
> link which will take him to a page with an evil form, but even if you
> get *that* page to auto submit, the form's referrer would be itself,
> not an admin page.
>
> Unlike the GET attack which can be in your admin comments page, there
> is no way to get an evil form in an Admin page, apart from authorised
> users who can do any number of evil things.
>
>
> Mike
> --
> Mike Little
> http://zed1.com/
>   

You're right Mike, but that doesn't solve the problem of people that 
don't have check_referrer capabilities (due to firewalls, etc).  They 
are still at risk to forms being POSTed from other sites.  So the nonces 
are the only solution that handles all cases.

I'm also publicly and on the record agreeing with Owen - using POST or 
GET makes no difference in terms of authentication or security.  Yes, it 
makes sense to do deletes with a POST, but it's purely an academic 
choice.  Security and authentication MUST be implemented in other ways, 
and the most universally accepted way right now for this problem is nonces.

Ryan

More information about the wp-hackers mailing list