Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#56475 closed defect (bug) (invalid)

Nonce not verify

Reported by: hiren1094's profile hiren1094 Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.0
Component: Security Keywords: has-patch close
Focuses: coding-standards Cc:

Description

Hello,

Nonce did not verify security in WordPress Installation Screen.

Kindly check the attached Screenshot for your reference.

Attachments (2)

WordPress › Installation.png (110.3 KB) - added by hiren1094 2 years ago.
Final Screen OF WordPress Installation
56475.patch (1.2 MB) - added by hiren1094 2 years ago.
Patch Added

Download all attachments as: .zip

Change History (11)

@hiren1094
2 years ago

Final Screen OF WordPress Installation

@hiren1094
2 years ago

Patch Added

#1 @hiren1094
2 years ago

  • Keywords has-patch added; needs-patch removed

This ticket was mentioned in PR #3160 on WordPress/wordpress-develop by Hiren1094.


2 years ago
#2

Hello,

Fixed the issue of the nonce is not verified in the (WordPress) installation of the final screen.

Trac ticket: https://core.trac.wordpress.org/ticket/56475

Hiren1094 commented on PR #3160:


2 years ago
#3

Hello @costdev,

Thank you for the suggestion.

I have committed to your suggestion.

This ticket was mentioned in PR #3171 on WordPress/wordpress-develop by Hiren1094.


2 years ago
#4

Hello,

Fixed the issue of the nonce is not verified in the (WordPress) installation of the final screen.

Trac ticket: https://core.trac.wordpress.org/ticket/56475

#5 @costdev
2 years ago

  • Milestone changed from Awaiting Review to 6.1

#6 follow-up: @SergeyBiryukov
2 years ago

Hi there, welcome to WordPress Trac! Thanks for the ticket and the patch.

It is my understanding that nonces are generally used to protect against Cross-Site Request Forgery (CSRF), i.e. to prevent an authenticated user from being tricked into performing an unwanted action.

Just to clarify, since there is no user account on WordPress installation yet, what exactly would we protect against by adding and verifying a nonce there?

#7 in reply to: ↑ 6 @hiren1094
2 years ago

Hello @SergeyBiryukov

As per WordPress coding standards nonce should be verified in all form submissions.

And WordPress Installation screen is one kind of form.

As per coding standards If you are using any HTML or HTTP-based form submissions, use a nonce to guarantee a user intends to perform an action.

#8 @peterwilsoncc
2 years ago

  • Keywords close added

To follow up @SergeyBiryukov's comment: I don't think a nonce serves are purpose on this screen. As the form presented to a logged out user, the nonce won't protect against CSRF attacks.

If a site wishes to fool someone it to submitting the form, it can get the nonce in the background as a logged out user. Once it has the value, it can use it in the form for another logged out user to submit.

As per coding standards If you are using any HTML or HTTP-based form submissions, use a nonce to guarantee a user intends to perform an action.

This is absolutely true when there is a user, but for logged out accounts there isn't a user to check against. As mentioned above, the original installation screen runs without a user account.

I understand it's a subtle distinction so I hope the explanation helps.

#9 @whyisjake
2 years ago

  • Milestone 6.1 deleted
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for the ticket @hiren1094, marking it as invalid for the above reasons. Thanks for contributing to WordPress.

Note: See TracTickets for help on using tickets.