[wp-trac] Re: [WordPress Trac] #5838: Make Nonce Mismatch Fail
Instead of AYS
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 13 18:01:51 GMT 2008
#5838: Make Nonce Mismatch Fail Instead of AYS
---------------------------------------------------+------------------------
Reporter: filosofo | Owner: anonymous
Type: defect | Status: reopened
Priority: normal | Milestone: 2.3.4
Component: Security | Version: 2.3.3
Severity: normal | Resolution:
Keywords: nonce ays csrf css security has-patch |
---------------------------------------------------+------------------------
Comment (by mdawaffe):
A possible alternative would be to still show the AYS screen, not update
the nonce, but require the user to enter his or her password (or username
and password) to authenticate the request.
Pros: keeps the insurance we already have of not losing a POST request
because of failed/expired nonce. That's a rare event. I think every time
I've gotten an AYS it was because of bad code, not an expired nonce, so
resubmitting by clicking yes didn't work anyway.
Cons: harder to code, needs to be audited, breaks the "deny, don't fix"
security philosophy, is still open to social engineering CSRF if a user
uses the same username/password pair on many sites. Such a CSRF attack
could use a form like the following using similar techniques to the one
above.
{{{
Sign up for the new hotness!
username ____
password ____
}}}
... submit... Attack successful: those fields were actually the nonce AYS
username/password fields. The user put their "tried and true"
username/password pair into them.
Unrelatedly, a plugin can be written to fix this security issue. Just
replace check_admin_referer() (it's pluggable).
--
Ticket URL: <http://trac.wordpress.org/ticket/5838#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list