[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

[Martin Fitzpatrick]

On 03/03/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Mark Jaquith wrote:
> I don't think they can trick me into POSTing. Possibly they can trick
> some people. However I am worried that they can trick or force me to
> GET. It's much easier to sneak a GET into the WP admin area than a POST.
> Pingbacks, links in comments, probably a few other things can all put
> GETtable links in front of me that look normal.

Automatic POSTing can be done automagically on any webpage using
Javascript.  If you're currently logged into that remote URL your
browser (may) submit your cookies for it along with the data. A form
to do that can be hidden / in a frame. You could even be presented
with a "Submit" button that looks as though it's part of another form.
 Everyone can be tricked.

Of course a GET is slightly easier to set up than this - but slightly
easier is no protection against someone with intent.

> It may be reasonable to have both, especially if you believe it is
> possible to trick some people into POSTing. (That's probably the case.)

The best solution I think.

> However nonces are not a full solution either. They have failed to
> protect WordPress from some of the vulnerabilities uncovered in the last
> few months. They do nothing to  avoid the problem of a web accelerator
> prefetching links, and they may  be stealable from code that sneaks
> inside the admin interface.

>From my understanding these are problems that nonces are not intended
to protect against.  Nonces exist to prevent outside-links having
affects on Wordpress admin.

Web accelerators are bad, bad, bad (bad for web servers, specifically)
but converting links to buttons as suggested will probably solve the
problem for those that choose to use them.  It wouldn't have any
effect on stealability however - but that's a trusted-code issue.

The worst thing about nonces is their name ( see:
http://en.wikipedia.org/wiki/Nonce_%28slang%29 ).

Martin