[wp-hackers] Rethinking check_admin_referer()

Brian Layman Brian at TheCodeCave.com
Tue Apr 18 22:03:30 GMT 2006


Andy Skelton wrote:
>> On 4/18/06, David House <dmhouse at gmail.com> wrote:
>> POST method would fix this. Somebody remind me why we are using GET.
> Indeed it would.

That seems like a fairly major methodology change that could break a lot of
stuff, even though you'd be limiting it to the units that currently have an
embedded referrer check.  Additionally, it would not completely solve the
issue.  

I'll quote that article I linked to earlier: (I don't have the original link
at the moment, but the text is here: http://www.thecodecave.com/csrf.txt)

[quote]
> How can it be fixed? Well, there are a couple of ways to stop it, but the
> easiest (in PHP at least) seems to be to have most of the variables used
by
> scripts be used through $HTTP_POST_VARS. So instead of checking for
$action
> in a script, $HTTP_POST_VARS['action'] would be checked. This forces the
> user to use a POST request, not a GET. 

which means the attacker reverts to using Javascript, or entices the victim
to click on an image that's acting as a submit control in a <form>. 
Requiring POST raises the bar, but doesn't really fix the problem.
[/quote]

So, it seems to be a fairly simple thing to update the post vars by using
JavaScript inside the link.  It makes sense that it would be, but I haven't
tried any of this from this context.  I'll have to build a few test pages
when I get a chance...



More information about the wp-hackers mailing list