Flawed XSRF Protection In WordPress

February 13, 2008

Wordpress XSRF Protection

As demonstrated by ferruh 'http://ferruh.mavituna.com/flawed-csrf-protections-oku/', this is a serious flaw which surprisingly went un-noticed. An admin could be easily tricked into clicking a 'Yes' button resulting in a password update. An attacker could also update the admin's email and use the 'forgot password' functionality to reset his password. WordPress, do not ask user's to provide their existing password to change it.

This demonstrates that inorder to protect against Cross Site request Forgery (XSRF), application's must discard the request whenever any XSRF attempt is detected.  

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback