[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Mark Jaquith
mark.wordpress at txfx.net
Sun Mar 4 18:43:43 GMT 2007
On Mar 3, 2007, at 10:59 AM, Robert Deaton wrote:
> <form name="bar" target="foo" method="post"
> action="http://yoursite/wp-admin/bad-script.php" style="display:none">
> <input type="hidden" name="var1" value="value1"/>
> <input type="hidden" name="var2" value="value2"/>
> <input type="hidden" name="var3" value="value3"/>
> <input type="submit" name="weneedthistosubmit"
> </form>
> <script type="text/javascript">
> document.forms['bar'].submit();
> </script>
Elliotte,
The above will submit the form on load, to a third party site, with
cookies intact. In the run-up to the nonces solution, I was able to
write a script that, if passed a WP install URL, did the following:
1. spawned 10 different hidden iframes with incrementing user ids (1
through 10)
2. each iframe contained a script that printed a user's WP profile
page form with a new password
3. each of the 10 forms auto-submitted
The results was that if a user of the site went to the URL (note, a
GET URL) and their user ID on that site was from 1 to 10, their
password would be changed. Since THEY were the ones who submitted
the form, they'd get the new login cookie. So they probably wouldn't
even notice that their password had been changed, as they could still
access wp-admin in their main browser. The script could have easily
immediately tried to use the password. It could have then grabbed
that blog's blogroll and submitted CSRF URLs as trackbacks to those
friendly sites, which, if clicked, would compromise them as well.
>> Nonces exist to protect against CSRF, against unintentional
>> authorized actions. They verify intention, because they pass
>> along a piece of information that you'd only have if you were
>> making the request from an authorized page.
>>
>
> In other words it's a somewhat less spoofable, less blockable
> referer header.
Yes. Less spoofable, and works through proxies and on UAs that don't
send referers. It verifies that the request comes from within WP.
> However nonces are not a full solution either. They have failed to
> protect WordPress from some of the vulnerabilities uncovered in the
> last few months.
Most of the WP vulnerabilities uncovered in the last few months have
been XSS, SQL injection, or PHP bugs. Nonces have effectively closed
off CSRF bugs, which is what they were meant to do.
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://coveredwebservices.com/
More information about the wp-hackers
mailing list