[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 16:13:58 GMT 2006


Owen Winkler wrote:
> Ryan Scheuermann wrote:
>> 3. no need for nonces if the delete action requires POST
>
> Using POST does not obviate nonces or referer checks.  If someone were 
> to create a form on a different site that POSTed the right info to the 
> page that deletes your posts, and then tricked you into clicking it 
> somehow, it would delete the posts.  And we're talking about deleting 
> more than one post now?  Yikes.  Yes, it would work with just the 
> referer check, but then that form would only work in environments that 
> support the referer.  That is what the nonces are for, to replace 
> referer checks with something more available.
>
> Using POST does not obviate nonces or referer checks.
>
You're right, I forgot about CSRF.  So we keep nonces.  But with this 
solution, we could still use POST - even with nonces - which would 
remove the "click bad comment link -> delete my blog" security hole.  
BTW, what's the official name for this security issue?
>> 5. adds new functionality for mass delete of posts (even if not needed)
>
> Oops.  I just accidentally deleted <s>that one post</s> *everything*. 
> Oh, dear.
> Time to revisit this:
> http://www.asktog.com/columns/069ScottAdamsMeltdown.html
>
If the checkboxes were only used for delete and we didn't have a 
"check/uncheck all" button, how would the user accidentally delete 
everything?  They would have to click through every checkbox "on 
accident" and then "on accident" click the Delete Checked Posts form 
submit button on the bottom of the page.  I'd like to meet the user that 
accidentally does this.  :-)
>> 7. follows a widely accepted and user-friendly model for web 
>> applications
>
> It also makes it very difficult to insert new per-row POST forms, if 
> that's something we might ever consider in the future.  As unlikely as 
> that might be.  Although, I do remember code around in one of these 
> tables that let you add new columns in a clever way.  Might have been 
> the Manage Posts page.
>
> Owen
>
Making it difficult for a future "maybe" doesn't seem like a good reason 
not to do it.

Don't get me wrong Owen, I'm not trying to throw more flames on this 
fire, I'm just trying to present a solution that might be acceptable to 
the masses without stepping on developers toes or result in (gasp!) 
forking the project for no reason.

Ryan


More information about the wp-hackers mailing list