[wp-trac] [WordPress Trac] #16449: incorrect referer check in check_admin_referer()
WordPress Trac
wp-trac at lists.automattic.com
Thu Feb 3 06:39:22 UTC 2011
#16449: incorrect referer check in check_admin_referer()
--------------------------+-------------------------------------
Reporter: indie-ulf | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.0.4
Severity: normal | Keywords: has-patch needs-testing
--------------------------+-------------------------------------
The check_admin_referer() function is defined this way:
"Tests if the current request was referred from an admin page, or (given
$action parameter) if the current request carries a valid nonce. Used to
avoid security exploits."
The older, less secure form with no parameter ("check_admin_referer()")
still works, it's not documented as deprecated anywhere, and at least one
plugin with more than 190,000 downloads uses it.
The problem is that it's not secure. An attacker can fool it easily like
this:
1) Put up pages "one.html" and "two.html" on evilsite.com, where
"one.html" includes "two.html" in an iframe, and "two.html" performs a
CSRF attack against the admin part of a plugin in Victim's WP install.
2) "one.html" should include Victim's WP admin URL in the query string for
the URL given for "two.html" in the iframe (
http://evilsite.com/two.html?foobar=http://victim.vi/wp-admin/ ). ''The
Referer check in check_admin_referer() erroneously uses strpos() !==
false, so it will be fooled by a Referer that looks like this.''
3) Entice a logged-in administrator to visit http://evilsite.com/one.html
.
I have attached a patch that should correct this issue by changing the
strpos() call. I hope it won't break anything..
Ulf Harnhammar
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16449>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list