Make WordPress Core

#56475 closed defect (bug) (invalid)

Nonce not verify

Reported by: hiren1094's profile hiren1094 Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.0
Component: Security Keywords: has-patch close
Focuses: coding-standards Cc:

Description

Hello,

Nonce did not verify security in WordPress Installation Screen.

Kindly check the attached Screenshot for your reference.

Attachments (2)

WordPress › Installation.png (110.3 KB) - added by hiren1094 21 months ago.
Final Screen OF WordPress Installation
56475.patch (1.2 MB) - added by hiren1094 21 months ago.
Patch Added

Download all attachments as: .zip

Change History (11)

@hiren1094
21 months ago

Final Screen OF WordPress Installation

@hiren1094
21 months ago

Patch Added

#1 @hiren1094
21 months ago

  • Keywords has-patch added; needs-patch removed

This ticket was mentioned in PR #3160 on WordPress/wordpress-develop by Hiren1094.


21 months ago
#2

Hello,

Fixed the issue of the nonce is not verified in the (WordPress) installation of the final screen.

Trac ticket: https://core.trac.wordpress.org/ticket/56475

Hiren1094 commented on PR #3160:


21 months ago
#3

Hello @costdev,

Thank you for the suggestion.

I have committed to your suggestion.

This ticket was mentioned in PR #3171 on WordPress/wordpress-develop by Hiren1094.


21 months ago
#4

Hello,

Fixed the issue of the nonce is not verified in the (WordPress) installation of the final screen.

Trac ticket: https://core.trac.wordpress.org/ticket/56475

#5 @costdev
21 months ago

  • Milestone changed from Awaiting Review to 6.1

#6 follow-up: @SergeyBiryukov
21 months ago

Hi there, welcome to WordPress Trac! Thanks for the ticket and the patch.

It is my understanding that nonces are generally used to protect against Cross-Site Request Forgery (CSRF), i.e. to prevent an authenticated user from being tricked into performing an unwanted action.

Just to clarify, since there is no user account on WordPress installation yet, what exactly would we protect against by adding and verifying a nonce there?

#7 in reply to: ↑ 6 @hiren1094
21 months ago

Hello @SergeyBiryukov

As per WordPress coding standards nonce should be verified in all form submissions.

And WordPress Installation screen is one kind of form.

As per coding standards If you are using any HTML or HTTP-based form submissions, use a nonce to guarantee a user intends to perform an action.

#8 @peterwilsoncc
21 months ago

  • Keywords close added

To follow up @SergeyBiryukov's comment: I don't think a nonce serves are purpose on this screen. As the form presented to a logged out user, the nonce won't protect against CSRF attacks.

If a site wishes to fool someone it to submitting the form, it can get the nonce in the background as a logged out user. Once it has the value, it can use it in the form for another logged out user to submit.

As per coding standards If you are using any HTML or HTTP-based form submissions, use a nonce to guarantee a user intends to perform an action.

This is absolutely true when there is a user, but for logged out accounts there isn't a user to check against. As mentioned above, the original installation screen runs without a user account.

I understand it's a subtle distinction so I hope the explanation helps.

#9 @whyisjake
20 months ago

  • Milestone 6.1 deleted
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for the ticket @hiren1094, marking it as invalid for the above reasons. Thanks for contributing to WordPress.

Note: See TracTickets for help on using tickets.