[wp-trac] [WordPress Trac] #5838: Make Nonce Mismatch Fail Instead of AYS

WordPress Trac wp-trac at lists.automattic.com
Wed Feb 13 16:17:01 GMT 2008

#5838: Make Nonce Mismatch Fail Instead of AYS
 Reporter:  filosofo  |       Owner:  anonymous                            
     Type:  defect    |      Status:  new                                  
 Priority:  normal    |   Milestone:  2.5                                  
Component:  Security  |     Version:  2.3.3                                
 Severity:  normal    |    Keywords:  nonce ays csrf css security has-patch
 As the post [http://ferruh.mavituna.com/flawed-csrf-protections-oku/ here]
 points out (I've duplicated his attack using my own 2.3.3 setup), you can
 make a CSRF attack that tricks a WordPress user into changing the admin
 password and emailing it to someone, by hiding all of the nonce
 confirmation except the "yes" submit button.

 When the nonce doesn't match, my patch lets you know that the action has
 failed, and it provides a link back to the referring page so that you can
 try again.

Ticket URL: <http://trac.wordpress.org/ticket/5838>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list