[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Mark Jaquith mark.wordpress at txfx.net
Sun Mar 4 18:43:43 GMT 2007

On Mar 3, 2007, at 10:59 AM, Robert Deaton wrote:

> <form name="bar" target="foo" method="post"
> action="http://yoursite/wp-admin/bad-script.php" style="display:none">
> <input type="hidden" name="var1" value="value1"/>
> <input type="hidden" name="var2" value="value2"/>
> <input type="hidden" name="var3" value="value3"/>
> <input type="submit" name="weneedthistosubmit"
> </form>
> <script type="text/javascript">
> document.forms['bar'].submit();
> </script>


The above will submit the form on load, to a third party site, with  
cookies intact.  In the run-up to the nonces solution, I was able to  
write a script that, if passed a WP install URL, did the following:

1. spawned 10 different hidden iframes with incrementing user ids (1  
through 10)
2. each iframe contained a script that printed a user's WP profile  
page form with a new password
3. each of the 10 forms auto-submitted

The results was that if a user of the site went to the URL (note, a  
GET URL) and their user ID on that site was from 1 to 10, their  
password would be changed.  Since THEY were the ones who submitted  
the form, they'd get the new login cookie.  So they probably wouldn't  
even notice that their password had been changed, as they could still  
access wp-admin in their main browser.  The script could have easily  
immediately tried to use the password.  It could have then grabbed  
that blog's blogroll and submitted CSRF URLs as trackbacks to those  
friendly sites, which, if clicked, would compromise them as well.

>> Nonces exist to protect against CSRF, against unintentional  
>> authorized actions.  They verify intention, because they pass  
>> along a piece of information that you'd only have if you were  
>> making the request from an authorized page.
> In other words it's a somewhat less spoofable, less blockable  
> referer header.

Yes.  Less spoofable, and works through proxies and on UAs that don't  
send referers.  It verifies that the request comes from within WP.

> However nonces are not a full solution either. They have failed to  
> protect WordPress from some of the vulnerabilities uncovered in the  
> last few months.

Most of the WP vulnerabilities uncovered in the last few months have  
been XSS, SQL injection, or PHP bugs.  Nonces have effectively closed  
off CSRF bugs, which is what they were meant to do.

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list