NOnces have arrived in WP

WordPress 2.03 is a critical security release. It eliminates the HTTP Referrer check and replaces it with a nonce system. What is a referrer check? Well, it is an attempt to confirm that an administrative action is being taken by an administrator instead of an automated bot. It was a good first step, but it didn’t go far enough and it did not work for everyone. Many systems are stripping of the referrer check. So WP2 didn’t initially work for a lot of people. Additionally, referrers, the browser’s way of indiciating where you came from, are easily forged.

Browsers really do tell a website alot about where you came from. For instance, I can tell which search engine people used to get to my site and what their search words were. Then you can use a tool like AWStats to give you a report. For instance, these are the phrases used to reach my website this morning:

Keyphrases used on search engines  
19 different keyphrases Search Percent
hiphopcaucus 2 9 %
menuext javascript 2 9 %
code cave 2 9 %
clipboard from delphi notepad 1 4.5 %
generating nonce with php 1 4.5 %
hiphopcaucus bot 1 4.5 %
timage in delphi 1 4.5 %
test.txt notepad.exe 1 4.5 %
timage assign 1 4.5 %
php5 binary location 1 4.5 %
neat eye [] 1 4.5 %
isbn vs. asin 1 4.5 %
binary blue scheme 1 4.5 %
level mode super gerball 1 4.5 %
event.srcelement.tagname firefox 1 4.5 %
mark edington 1 4.5 %
paste clipboard from delphi to notepad 1 4.5 %
delphi php developer programmer washington dc 1 4.5 %
paste clipboard from delphi notepad 1 4.5 %

That’s kind of neat, but it is a little bit of an invasion of privacy. Well, at least some people would think so. So, referrers are on their way out and Nonces are on their way in.

A NOnce, a Number variable meant to be used Once, is a temporary key that is passed along with the web page and is used to prove that the action taken was initiate from an administrator page. Basicly WordPress generates a unique number for you and passes that to your browser. Then when you take a secured action, your browser must pass it back. It’s another method for the same goal. Aditionally, a NOnce expires. So, even if someone grabbed it, it would soon go bad.

Why is this important? Why should this release be applied? Well, in short, one could pretty easily erase any post on any blog with an earlier version of WP. I’ve worked at creating an attack that could dynamicaly erase all posts at once, but that was blocked due to other difficulties. So the attacks must be made a post at a time, but that is still a pretty big vulnerability.

Now don’t go all APE on WordPress. The fact is that the web is not a secure place. You should backup your DB, no matter what software you use, regularly. And if you don’t, what you lose is your gone because of your own (in)actions. Besides, how many posts have you had that have been vandalized/erased? None? Well, then calm down, install the update and all will be fine.

The latest in the stable 2.0 series, 2.0.3, is now available for download. This is a bug fix and security release, and is recommended for all WordPress users. In addition to an issue that was raised on Bugtraq a few days ago, we’ve also backported a number of security enhancements from 2.1 to further enhance and protect your blog.

If you are interested in how these enhancements to WordPress security came to pass, look into the archives of the WP Hackers email list and you can see some of the details.
This is a good place to start…
Look for the thread labeled “Rethinking check_admin_referer()” and you can read along php coders (myself included discuss the issue…

Here’s the link for the download:
If you want to get a smaller version of it, with only the changed files, go here:
I haven’t verified his file. So, you should do so on your own, or just bite the bullet and upload the whole release.

I’ll let you know over the next few days how much better this version of WP is.


Add a Comment

Your email address will not be published. Required fields are marked *