Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-17675: Changeset 46477 – WordPress Trac

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

CVE
#csrf#wordpress#php#perl#auth

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.

Coding standards, ensure that nonce is valid with identical, rather then equal operator.

Props vortfu, xknown, whyisjake.

Location:

trunk

Files:

  • src/wp-includes/pluggable.php (2 diffs)
  • tests/phpunit/tests/auth.php (2 diffs)

Legend:

Unmodified

Added

Removed

  • trunk/src/wp-includes/pluggable.php

    r46472

    r46477

1107

1107

     \*/

1108

1108

    function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {

1109

 

        if ( -1 == $action ) {

 

1109

        if ( -1 ==\= $action ) {

1110

1110

            \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );

1111

1111

        }

…

…

 

1126

1126

        do\_action( 'check\_admin\_referer', $action, $result );

1127

1127

1128

 

        if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {

 

1128

        if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {

1129

1129

            wp\_nonce\_ays( $action );

1130

1130

            die();
  • trunk/tests/phpunit/tests/auth.php

    r45717

    r46477

25

25

        self::$user\_id = self::$\_user->ID;

26

26

27

 

        require\_once( ABSPATH . WPINC . '/class-phpass.php' );

 

27

        require\_once ABSPATH . WPINC . '/class-phpass.php';

28

28

        self::$wp\_hasher = new PasswordHash( 8, true );

29

29

    }

…

…

 

166

166

    }

167

167

 

168

    public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {

 

169

        $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );

 

170

        // A valid nonce needs to be set so the check doesn't die()

 

171

        $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );

 

172

        $result               = check\_admin\_referer( '-1' );

 

173

        $this->assertSame( 1, $result );

 

174

 

175

        unset( $\_REQUEST\['\_wpnonce'\] );

 

176

    }

 

177

168

178

    /\*\*

169

179

     \* @ticket 36361

Note: See TracChangeset for help on using the changeset viewer.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907