[wp-trac] Re: [WordPress Trac] #5838: Make Nonce Mismatch Fail Instead of AYS

WordPress Trac wp-trac at lists.automattic.com
Wed Feb 13 18:01:51 GMT 2008

#5838: Make Nonce Mismatch Fail Instead of AYS
 Reporter:  filosofo                               |        Owner:  anonymous
     Type:  defect                                 |       Status:  reopened 
 Priority:  normal                                 |    Milestone:  2.3.4    
Component:  Security                               |      Version:  2.3.3    
 Severity:  normal                                 |   Resolution:           
 Keywords:  nonce ays csrf css security has-patch  |  
Comment (by mdawaffe):

 A possible alternative would be to still show the AYS screen, not update
 the nonce, but require the user to enter his or her password (or username
 and password) to authenticate the request.

 Pros: keeps the insurance we already have of not losing a POST request
 because of failed/expired nonce.  That's a rare event. I think every time
 I've gotten an AYS it was because of bad code, not an expired nonce, so
 resubmitting by clicking yes didn't work anyway.

 Cons: harder to code, needs to be audited, breaks the "deny, don't fix"
 security philosophy, is still open to social engineering CSRF if a user
 uses the same username/password pair on many sites.  Such a CSRF attack
 could use a form like the following using similar techniques to the one

  Sign up for the new hotness!
  username ____
  password ____

 ... submit... Attack successful: those fields were actually the nonce AYS
 username/password fields.  The user put their "tried and true"
 username/password pair into them.

 Unrelatedly, a plugin can be written to fix this security issue.  Just
 replace check_admin_referer() (it's pluggable).

Ticket URL: <http://trac.wordpress.org/ticket/5838#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list