[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 18:22:41 GMT 2006 

David House wrote:
> On 24/04/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
>   
>> Using POST does not obviate nonces or referer checks.
>>     
>
> Lets just re-iterate that, folks.
>
>   
>> Using POST does not obviate nonces or referer checks.
>>     
>
> One more time with feeling.
>
>   
>> Using POST does not obviate nonces or referer checks.
>>     
>
> A little aside for anyone who doesn't understand the attack vector:
> You log into your blog one day to do a little tidying up. You start to
> notice how great an author you are and what a huge shame it would be
> if someone deleted one of your posts. You then browse to another site.
> Because you are Average Joe User, you don't hit the "Log Out" button
> on your way out, because it's inconvenient (you'd have to type your
> password the next time you arrived if you did that).
>
> You're browsing your way through the World Wide Web, and you come across this:
>
> http://asymptomatic.net/temp/hack.htm
>
> (Perhaps worded a little subtler in real life. Dressed up as a comment
> to a post on a another blog, a post that had trackbacked one of your
> masterpieces, perhaps?). You click it, and OOPS! It's too late. There
> goes one of your posts.
>
> Therefore, we either need nonces or a referer check. Referer checks
> are a pain to those firewalled, and are easy to miss, so I'd vote for
> nonces.
>
> And thus, anyone that says switching to POST is a magic bullet needs
> to rethink their views. Switching is _not_ a less complex solution, as
> it would have to be introduced on top of nonces anyway.
>
> However, I am a standards-are-good kind of guy and I would like to see
> a solution where we use POST wherever possible, with GET only as a
> fallback. Andrew K showed us that the UI hit is somewhat negligible
> (although a proper cross-browser solution is a prerequisite), so you
> have my +1 here. Basically, I don't see any advantage or disadvantage
> of either POST or GET.
>
> --
> -David House, dmhouse at gmail.com, http://xmouse.ithium.net
>   
Well put, good sir.  I apologize for thinking POST would obviate nonces 
/ referrer checks.  The sheer length of this discussion had caused me to 
forget all the angles.  :-)

Although, common sense (and the spec) would say using GET for delete is 
well, just bad.  Especially on something so critical as whole posts/pages.

Now, it would seem, changing to POST wherever possible is a mostly 
academic venture.  Is it worth the time?  I'm undecided on this.  If the 
general consensus is that we should change to POST for essential things 
like deleting posts/pages (maybe not approve/delete comments?), I'll 
volunteer to code the patch.  But I won't code it just to prove a now 
moot point about security.


Ryan

More information about the wp-hackers mailing list