[wp-hackers] Security at Wordpress

Mon Apr 24 19:22:36 GMT 2006

David House wrote:
> You log into your blog one...you don't hit the "Log Out" 
> then you're browsing your way through the World Wide Web, and 
> you come across this: http://asymptomatic.net/temp/hack.htm
> You click it, and OOPS! It's too late. There goes one of your posts.
> Therefore, we either need nonces or a referer check. 
Obviously what David gave is just an example but I figured I'd add onto it a
little.  

If you just came across a link while browsing, that link would have to know
who you are in order to try to attack your blog specifically.  
That's not as far fetched as it may sound.  Let's say for instance you were
in a heated debate on some email list and got someone angry at you.
Then they use this attack targeted deliberately at you knowing you ran an
older version of WP.  

The older version is required for. as David implies, Wordpress blocks this
kind of attack now through the referrer check.  

This is just one way that WP 2.0 is so much safer than say 1.2.

> Referer checks are a pain to those firewalled, and are easy to miss, so
I'd vote for
> nonces.
Additionally, they are easy to miss AND they are easily forged.  This can be
done in custom browsers or by webservers themselves.

> And thus, anyone that says switching to POST is a magic bullet needs
> to rethink their views. 
What David does not say in so many words is that hack.htm can include a form
that is submitted via a POST.
It can be done without a button or even as a page is displayed without any
interaction from the user.

Right now it is a combination of things that makes WP safe.  To perform most
admin actions, you need up to things.
1. An admin with an active cookie.
2. To have just come from a WP Admin page. (referer check)
3. For some actions, like adding a user, a post.

I'd already discussed a way to get past 1 & 2 at the same time.  And someone
posted an example of doing it.  Another example I (accidentally) listed
earlier showed how to get past 2 & 3 at the same time.  However, getting
past both 2 & 3 is worthless if you don't have #1 - an admin cookie.
Getting a cookie from another site is not impossible, but WordPress blocks
most attacks that can do it.  However, any php or htm on a site, has access
to your cookie for that site.  So, if you allow people to put a file on your
site, you've just given away the last restriction.

Nonces, then add a #4 to the list (or perhaps replaces #2)
Then the attacker has to figure out a way to retrieve the nonce prior to the
attack.  Putting it in the cookie, means that you are back down to only
having to get the cookie before you have everything.  So, the present
proposal builds it into the form, if memory serves.  So, I think that's
pretty much where we are at in the conversation.

BTW some could say that there already is a #4
4. Prompting Yes or No

However, that yes or no submit the "Yes" command somewhere, somehow too.
So, unless it uses nonces too, that one is really a non-starter.  