[wp-hackers] Rethinking check_admin_referer()

[Mark Jaquith]

On Apr 17, 2006, at 2:37 AM, Matt Mullenweg wrote:

>> 1) function wp_secure_form($key='') { }
>> This function would echo out a hidden from input with an md5 hash  
>> computed on (a) the database password, (b) the userid, and (c) the  
>> optional key.  This would give us a hash that is unique to the  
>> specific WP user on that install, and optionally, specific to the  
>> particular task being performed.  For example, for deleting a  
>> post, you could do wp_secure_form('delete_post_' . $post_id); and  
>> it would be locked down to the install, the user, the "delete"  
>> action, and that specific post.
>
> Unfortunately this doesn't work, because it's trivial to fetch the  
> page and grab the key/nonce before submitting the malicious request.

How could this be done without <script> injection (a security problem  
in its own right)?  It may just be that it is 4am, but without  
injection of a malicious script, in which case the security breach  
has already occurred, I can't see how you are going to load the page  
as the authenticated user and extract the key.  There's probably a  
"oh, duh" answer to this, but I just can't see it now.

--
Mark Jaquith
http://txfx.net/