[wp-hackers] Rethinking check_admin_referer()

[Owen Winkler]

Brian Layman wrote:
> My first reply suggested building that into the user profile because: 
> 1. I'm not sure that the nonce suggestion can be made completely foolproof.
> Just in this thread, a few objections were raised.  It doesn't look like its
> been completely worked out yet.

It can be made completely foolproof, it's just inconvenient to plugins 
that use admin pages until they are modified to use the nonces.  I'm not 
sure what other objections you're talking about.

> 2. I thought Mark was suggesting using AYS prompts as the only security.  I
> see now that he was suggesting that only for plugins that haven't added the
> nonce.  That's a much better approach than putting AYSs everywhere by
> default.  It could probably be enhanced one step further. If the referrer
> check passes, why should the users deal with that extra prompt?  Again,
> another reason not to dismiss the referrer check entirely.

Realistically, AYS prompts *are* the only necessary security to prevent 
CSRF attacks, because the only time they work is when there is no 
confirmation on the action that is executed.

Assuming you don't want to confirm every action every time, you'll need 
another method to verify that you're coming from somewhere where it's 
permitted to initiate that action.  This can be done with the nonces, as 
described.

Why not include both methods?  Because the referer check doesn't work in 
all clients, and the nonce does.  The nonce is also more flexible, since 
it produces a confirmation message when the nonce is required but not 
present, which you can't do with just the referer check.  You can also 
include valid nonces in URLs in email, which you can't do with a referer 
check.  Including both methods would require them both to be present in 
the code, which requires more testing and support.

Owen