[wp-hackers] Rethinking check_admin_referer()

Peter Westwood peter.westwood at ftwr.co.uk
Mon Apr 17 21:48:12 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Jaquith wrote:
> On Apr 17, 2006, at 2:37 AM, Matt Mullenweg wrote:
> 
>>> 1) function wp_secure_form($key='') { }
>>> This function would echo out a hidden from input with an md5 hash
>>> computed on (a) the database password, (b) the userid, and (c) the
>>> optional key.  This would give us a hash that is unique to the
>>> specific WP user on that install, and optionally, specific to the
>>> particular task being performed.  For example, for deleting a post,
>>> you could do wp_secure_form('delete_post_' . $post_id); and it would
>>> be locked down to the install, the user, the "delete" action, and
>>> that specific post.
>>
>> Unfortunately this doesn't work, because it's trivial to fetch the
>> page and grab the key/nonce before submitting the malicious request.
> 
> How could this be done without <script> injection (a security problem in
> its own right)?  It may just be that it is 4am, but without injection of
> a malicious script, in which case the security breach has already
> occurred, I can't see how you are going to load the page as the
> authenticated user and extract the key.  There's probably a "oh, duh"
> answer to this, but I just can't see it now.
> 

I'm not sure that the how is really the issue here.

To me it's more that you _cannot_ rely on generating a key as a one time
operation "per user" / "per action type".

You need to generate a nonce "per action" and have that stored within
the db - in say user meta information and timed out so that it doesn't
last forever otherwise it is next to useless as it allows for any type
multi pronged off line attack.

For example with you solution one attack can get the key and another can
use it!

You must remember that the whole point behind a nonce [1] rather than a
key is that it is for one-time use only - if you can use it more than
once it's security benefit is removed.

1 - http://en.wikipedia.org/wiki/Nonce

westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFERA0cVPRdzag0AcURApRwAKCbmcnyqA2dW8nh5+akku8rP+FxUwCdFiIS
zhGuUCo+54QjXk5w7nF9p+U=
=594X
-----END PGP SIGNATURE-----

More information about the wp-hackers mailing list