CSRF Attack on WordPress

Someone named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress 2.3.3.

The scenario is like this: you go to leave a comment on someone’s site, and surreptitiously that (evil) site tricks you into changing your WordPress admin password and emailing it to the evil site owner by clicking what appears to be a comment submission button.

WordPress guards against CSRF attacks in general by confirming actions that don’t seem quite right (i.e. when the nonces don’t check out), but this attack hides all of the confirmation message except the approval button, which appears to be part of the evil site’s comment form.

It’s very easy to imagine how this could be targeted at a user’s blog by using the URL the user enters in an evil site’s comment form. I’ve submitted a suggested solution as a WordPress Trac ticket.

How can you avoid this attack for now? Don’t stay logged in to your WordPress blog when not necessary, and change the default username (or blog under another username with just “author” permissions, and keep “admin” just for occasional site maintenance).

UPDATE: My patch has been committed to both development WordPress and the 2.3 branch, so this issue should be taken care of in the next security release.

21 Comments

  1. Posted July 21, 2009 at 4:10 am | Permalink
    rejja

    WordPress is the best

  2. Posted July 27, 2009 at 7:27 pm | Permalink
    links of london

    Good article, thank you!

  3. Posted January 8, 2010 at 9:34 am | Permalink
    Sharon Stevens

    I had never heard of this earlier, WordPress is the best.

  4. Posted January 25, 2010 at 1:08 am | Permalink
    yuyo

    A pleasure to come to your site. Thanks very much!
    wordpress the best…

  5. Posted January 30, 2010 at 12:56 am | Permalink
    marcus

    No other like wordpress, thank you very nice blog by the way.

  6. Posted March 27, 2010 at 3:46 am | Permalink
    Miss Jezi

    I had never heard of this earlier, WordPress is the best.

  7. Posted April 17, 2010 at 2:42 am | Permalink
    Oyun hileleri indir

    it is awesome, and really great. Thank you a lot…

  8. Posted October 5, 2010 at 7:10 am | Permalink
    Mold Removal Hialeah

    It is awesome. WordPress is the best. Thank you very nice blog by the way.

  9. Posted November 7, 2010 at 5:59 pm | Permalink
    Joe

    w really interesting. Thanks!

  10. Posted November 27, 2011 at 1:53 am | Permalink
    kayseri evden eve

    thank you ver very

  11. Posted March 26, 2012 at 9:30 am | Permalink
    kayseri nakliyat

    beautiful WordPress

  12. Posted April 3, 2012 at 4:01 pm | Permalink
    porta badge

    I hope it’s not an issue anymore in the latest WordPress version.

  13. Posted September 21, 2012 at 12:29 am | Permalink
    New Fashion Style

    Keep up the good work sony. its great and the work they are doing so far is great.

  14. Posted October 18, 2012 at 3:59 am | Permalink
    Limousine Toronto

    Thanks for sharing such a good information about this topic over here nice post.I just respond to inform you all the things are wonderful on your page.I will be your faithful reader. Thanks a lot!

  15. Posted January 10, 2013 at 4:06 am | Permalink
    Vashikaran

    WordPress is great webdite fresher are learn many thing from that website

  16. Posted February 2, 2013 at 2:34 am | Permalink
    Vashikaran

    WordPress is great

  17. Posted April 23, 2013 at 12:50 am | Permalink
    Deportment classes

    Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity, guess I will just make this bookmarked.

  18. Posted August 15, 2013 at 10:54 pm | Permalink
    Shruti

    I want to stress especially the “novel” use of the onload function of img/script tags. People in the past have used it to detect the presence of different host-names/”port scanning” internal systems by vectoring through a hooked browser. I say that’s cool and all, but you can take that further and use it to detect the presence of a plugin on a target on demand, making you able to be much more sneaky. When the markup detects a plugin present on the target, it redirects the browser to the exploit, and no further requests can be made by that IP to the script.

  19. Posted September 17, 2013 at 7:09 am | Permalink
    צימרים עם בריכה

    כנסו ובחרו צימרים עם בריכה מרשימת הצימרים

  20. Posted March 6, 2014 at 2:25 pm | Permalink
    Jamaican Tours

    how to prevent this attack?

  21. Posted April 2, 2014 at 6:15 pm | Permalink
    official michael

    It is perfect time to make some plans for the long run and it is time to be happy.
    I have read this put up and if I may I desire to suggest you some
    fascinating issues or advice. Maybe you could write next articles regarding this article.
    I want to read more things about it!

    official michael kors outlet

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*