[wp-hackers] wp-admin folder and admin-ajax.php

Ben Huson ben at thewhiteroom.net
Wed Aug 11 09:19:10 UTC 2010


Thanks Westi,

I'm also interested in some AJAX tips, I found lots of talk about how
WordPress wasn't going to implement a front end ajax handler for
'security reasons' but no real insight into what those reasons were,
so thank you for clarifying that.

So if it is necessary to use front end AJAX that doesn't require
authentication, for example to return a post query or something, we
should write our own handler for that - a bit like the long switch
statement in admin-ajax.php.

I like the way that admin-ajax.php makes use of the do_action(
'wp_ajax_' . $_GET['action'] ) hook. It would be nice to implement
something like this for front end AJAX calls but are there any
security implications with this (presuming that you have validated
that $_GET['action'] is a safe string)

- Ben



On 11 August 2010 09:53, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
>
> On 9 Aug 2010, at 14:54, scribu wrote:
>
>> On Mon, Aug 9, 2010 at 4:27 PM, Gavin Pearce <Gavin.Pearce at 3seven9.com>wrote:
>>
>>> Does anyone know of any plans or discussions, regarding a
>>> "configuration" option for moving the wp-admin folder? Is it in the
>>> pipeline?
>>>
>>
>> No discussions that I'm aware of.
>>
>
> Highly unlikely.
>
>>
>>
>>> Working on hardening a WordPress install for a security conscious
>>> client, I can't IP restrict the wp-admin folder, because admin-ajax.php
>>> is sometimes required by the front-end. Seems a strange idea to me!
>>> (Obviously ways around this, just seems a strange way of doing things -
>>> maybe someone can explain why?).
>>>
>>> Can't find a ticket open for either of the above, but maybe I'm being
>>> blind!
>>>
>>
>> A front-end ajax handler has been proposed before:
>>
>> http://core.trac.wordpress.org/ticket/12400
>>
>
>
> We toyed for a very short time with a front end ajax handler and the problem is that for significantly important security reasons we send different cookies for front end page views than we do for admin ones.
>
> Basically on the front end we have a cookie to say that you are logged in but that doesn't actually authorise you to perform any actions and for the admin we have the authorisation cookie.
>
> This makes it much easier to ensure that a site is well protected against XSS issues allowing people to steal your cookies.
>
> If you have a plugin that is using admin-ajax for something which doesn't require authentication then it should likely be rewritten to not require access to admin-ajax otherwise you want it to use it for the improved security.
>
> Cheers
>
> westi
> --
> Peter Westwood
> http://blog.ftwr.co.uk | http://westi.wordpress.com
> C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list