[wp-hackers] Rethinking check_admin_referer()

John Joseph Bachir jjb at ibiblio.org
Mon Apr 17 16:48:04 GMT 2006


On Mon, 17 Apr 2006, Robert Deaton wrote:

> On 4/17/06, John Joseph Bachir <jjb at ibiblio.org> wrote:
>> I have had neither coffee nor lunch yet today so maybe I am forgetting
>> something obvious, but: isn't the biggest problem with with security
>> through referer checks that referers can be trivially spoofed from the
>> client side? Or to put it another way, the http client has the option of
>> supplying an arbitrary referer string?
>
> Without a cookie, that doesn't really matter at this stage of the
> game, we're assuming that the user's cookie hasn't been stolen, if it
> has, the fact that referers can be spoofed is trivial then as well,
> considering that with a cookie you can just log right in. Checking
> referers here is not the security issue, its a convenience issue,
> because more and more people are disabling referer sending, whether it
> be voluntary, firewalls, Norton, etc.

Well, an exploit like that would require getting a malicious binary onto 
the victim's computer. So I suppose we would be protecting against a case 
where an attacker can get a binary onto a user's computer, but can't get 
the cookie _off_ of their computer (which is easier to do). A bit far 
fetched I suppose... until someone makes a Outlook worm to install such a 
binary.  :)

John


More information about the wp-hackers mailing list