[wp-hackers] Rethinking check_admin_referer()
David Chait
davebytes at comcast.net
Thu Apr 20 15:44:25 GMT 2006
Owen wrote:
| ii) Security - The system is not impenetrable. If an unfiltered URL to
| an admin page that deletes things appears /within/ the admin (such as a
| link in a comment from the comment moderation page), and the admin
| inadvertently clicks on it, it will trigger the deletion.
questions from this:
1. why aren't we already filtering ALL URLs that exist within posts or
comments that contain 'wp-admin/', et al? At the least, munge such links
within the admin interface... Wouldn't that remove some aspects of this
attack vector? Or turn links into non-clickable text (I'll copy-paste to my
browser if it avoids security issues! I do this daily with urls in emails
already!).
2. the a CSRF example is much scarier. I look at a link-hover in the status
bar, it looks like a valid jpg link, but the thing ends up doing a redirect
back to me with something malicious. I can see how Nonces or other hash
would hopefully eliminate this case.
| If we do anything at all, it should be c with b-2.
I'll buy that. So long as the "AYS" stuff is included.
I have more thoughts, will fork a different topic... ;)
-d
More information about the wp-hackers
mailing list