[wp-hackers] Rethinking check_admin_referer()

Mark Jaquith mark.wordpress at txfx.net
Tue Apr 18 01:26:59 GMT 2006


On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:

> You need to generate a nonce "per action" and have that stored within
> the db - in say user meta information and timed out so that it doesn't
> last forever otherwise it is next to useless as it allows for any type
> multi pronged off line attack.
>
> For example with you solution one attack can get the key and  
> another can
> use it!

Again, my question is: HOW can an attacker get the key if it is only  
showed on admin pages where the login has been validated via  
cookies?  An attacker would have to trick a logged-in user into  
clicking a link that would give the attacker the key by extracting it  
from the document... but that's not a CSF attack, that's a XSS  
attack, and it is its own security vulnerability that has to be fixed  
by validating/filtering input data.  And if you can inject a script,  
the current referer-based checks can be bypassed anyway.

--
Mark Jaquith
http://txfx.net/




More information about the wp-hackers mailing list