Ferruh WordPress CSRF Vulnerability
Ferruh sent BlogSec an email this morning about a new attack vector for WordPress, using CSRF (Cross Site Request Forgery).
We have not yet had time to investigate the issue further, but it looks interesting. The basic concept revolves around the fact that WordPress is user friendly and asks the user for confirmation before submitting a request without a valid nonce.
By dressing the request in some fancy CSS it may be possible to get the user to confirm the request without them knowing.
Its a CSRF with some user intervention requirements which may mean a little social-engineering. Ferruh also provides a proof of concept exploit.
Ferruh credits BlogSec’s Gareth Heyes for his work around CSS Overlays.
Nice work Ferruh!
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
[...] named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress [...]
Rasheed, Ferruh provided a patch as part of his advisory. The patch basically prevents any requests without a valid nonce present.
[...] Blog Security reports on a WordPress CSRF vulnerability described as a Cross Site Request Forgery. Investigations are ongoing. [...]
Gareth, just informed me that WPIDS and WP Lockdown will prevent these attacks:
Lockdown and WPIDS protects against these sorts of CSRF
attacks by employing a framebreaker in the admin area. This
effectively eliminates this attack on every browser apart from IE.
[...] Blog Security reports on a WordPress CSRF vulnerability described as a Cross Site Request Forgery. Investigations are ongoing. [...]
So what should we do ?
Can you give us more details ?
Thanks.