[wp-hackers] Moved from BlogWare to WordPress - Need Help
Mark Jaquith
mark.wordpress at txfx.net
Sat May 20 11:00:14 GMT 2006
On May 20, 2006, at 6:39 AM, Sean Hickey wrote:
>> Referrer check is, sadly, unreliable here, because of an IE bug that
>> allows for referrer spoofing for AJAX requests. I suggest you look
>> at how WP handles AJAX security in the admin (sends the login cookie
>> along with the AJAX request and verifies it on the backend).
>
> Wouldn't that be pointless with admin.php included, since those
> scripts check the cookie?
If a user is tricked into submitting a malicious request to his own
blog, the cookie is used to verify him, so admin.php is taken care
of. Putting the cookie into the actual POST is something the hacker
can't do, because the hacker can't get the cookie. So, the cookie
works as authentication for admin.php, and the cookie included in the
POST works as verification that the request was intentional, which is
what WP checks on AJAX requests.
>> For example, raw POST data like: action=edit&id=5;DROP
>> DATABASE databasename;
>
> Isn't wpdb::escape() supposed to handle issues like that? :)
escape() will slash your single quotes, and can prevent injection, as
long as you're using quotes, and as long as you actually run your PHP
vars through it!
> That being said, I still
> think the plugin is pretty safe for now. A lot has to go wrong before
> someone can gain entry, and the plugin is only susceptible to some of
> the holes that WP in general is vulnerable to.
The CSF vector requires a bit of social engineering, yes, but Chris
has comment registration turned on, so anyone could register and edit
away.
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list