[wp-hackers] Moved from BlogWare to WordPress - Need Help

Mark Jaquith mark.wordpress at txfx.net
Sat May 20 11:00:14 GMT 2006


On May 20, 2006, at 6:39 AM, Sean Hickey wrote:

>> Referrer check is, sadly, unreliable here, because of an IE bug that
>> allows for referrer spoofing for AJAX requests.  I suggest you look
>> at how WP handles AJAX security in the admin (sends the login cookie
>> along with the AJAX request and verifies it on the backend).
>
> Wouldn't that be pointless with admin.php included, since those
> scripts check the cookie?

If a user is tricked into submitting a malicious request to his own  
blog, the cookie is used to verify him, so admin.php is taken care  
of.  Putting the cookie into the actual POST is something the hacker  
can't do, because the hacker can't get the cookie.  So, the cookie  
works as authentication for admin.php, and the cookie included in the  
POST works as verification that the request was intentional, which is  
what WP checks on AJAX requests.

>>         For example, raw POST data like: action=edit&id=5;DROP  
>> DATABASE databasename;
>
> Isn't wpdb::escape() supposed to handle issues like that? :)

escape() will slash your single quotes, and can prevent injection, as  
long as you're using quotes, and as long as you actually run your PHP  
vars through it!

> That being said, I still
> think the plugin is pretty safe for now.  A lot has to go wrong before
> someone can gain entry, and the plugin is only susceptible to some of
> the holes that WP in general is vulnerable to.

The CSF vector requires a bit of social engineering, yes, but Chris  
has comment registration turned on, so anyone could register and edit  
away.

--
Mark Jaquith
http://txfx.net/




More information about the wp-hackers mailing list