CSRF Attack on WordPress

by Austin Matzko on February 13, 2008 at 11:47 am

Someone named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress 2.3.3.

The scenario is like this: you go to leave a comment on someone’s site, and surreptitiously that (evil) site tricks you into changing your WordPress admin password and emailing it to the evil site owner by clicking what appears to be a comment submission button.

WordPress guards against CSRF attacks in general by confirming actions that don’t seem quite right (i.e. when the nonces don’t check out), but this attack hides all of the confirmation message except the approval button, which appears to be part of the evil site’s comment form.

It’s very easy to imagine how this could be targeted at a user’s blog by using the URL the user enters in an evil site’s comment form. I’ve submitted a suggested solution as a WordPress Trac ticket.

How can you avoid this attack for now? Don’t stay logged in to your WordPress blog when not necessary, and change the default username (or blog under another username with just “author” permissions, and keep “admin” just for occasional site maintenance).

UPDATE: My patch has been committed to both development WordPress and the 2.3 branch, so this issue should be taken care of in the next security release.

Posted in Security | Tagged , , | Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

10 Comments

  1. rejja
    Posted July 21, 2009 at 4:10 am | Permalink
    rejja

    WordPress is the best

  2. links of london
    Posted July 27, 2009 at 7:27 pm | Permalink
    links of london

    Good article, thank you!

  3. Sharon Stevens
    Posted January 8, 2010 at 9:34 am | Permalink
    Sharon Stevens

    I had never heard of this earlier, WordPress is the best.

  4. yuyo
    Posted January 25, 2010 at 1:08 am | Permalink
    yuyo

    A pleasure to come to your site. Thanks very much!
    wordpress the best…

  5. marcus
    Posted January 30, 2010 at 12:56 am | Permalink
    marcus

    No other like wordpress, thank you very nice blog by the way.

  6. Miss Jezi
    Posted March 27, 2010 at 3:46 am | Permalink
    Miss Jezi

    I had never heard of this earlier, WordPress is the best.

  7. Oyun hileleri indir
    Posted April 17, 2010 at 2:42 am | Permalink
    Oyun hileleri indir

    it is awesome, and really great. Thank you a lot…

  8. Mold Removal Hialeah
    Posted October 5, 2010 at 7:10 am | Permalink
    Mold Removal Hialeah

    It is awesome. WordPress is the best. Thank you very nice blog by the way.

  9. Joe
    Posted November 7, 2010 at 5:59 pm | Permalink
    Joe

    w really interesting. Thanks!

  10. kayseri evden eve
    Posted November 27, 2011 at 1:53 am | Permalink
    kayseri evden eve

    thank you ver very

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*