Our client is using IBM App Scan Security on a WordPress installation we have provided them, and they have flagged the profile page with this issue:
Difference: Header removed from request: XMLHttpRequest
Header manipulated from:
http://myweb/admin.php?page=we_users_profile to:
http://ift.tt/1M2FMQA
We are using WordPress 3.8.3, as the client wishes to use IIS and Microsoft SQL, and the DB abstraction layer for Microsoft SQL works best for that verison and it's non-negotiable
And this is the return:
POST myweb/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie:
wordpress_ae4ad255844b23c28a9c1c5b8f28f83d=USERNAME%7C1427361130%7Cfeefd87994da6183f2d60435c327b4
46;
wordpress_logged_in_de5ad2x5844bx3c28a9c1c5b8f28f83d=STUDENT0%7C1427361130%7C6f87d1ec5e14642401bc
1d3cba986536; wp-settings-316=mfold%3Do; wp-settings-time-316=1427188333
Referer: http://ift.tt/1M2FMQA
Accept-Language: en-SG
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0E;
.NET4.0C)
24/3/2015 8
Connection: Keep-Alive
Host: imsdev1
Pragma: no-cache
Content-Length: 100
interval=60&_nonce=57d64f25d4&action=heartbeat&screen_id=users_page_we_users_profile&has_focus=fa
lse
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: application/json; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.5.11
X-Powered-By: ASP.NET
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Tue, 24 Mar 2015 09:12:33 GMT
Content-Length: 26
{
"server_time": 1427188354
}
This supposedly failed their test for CSRF. Their advice is to provide a nonce, which there is already one.
Why does changing the referer still allows the request to be processed, and what can be done?
Aucun commentaire:
Enregistrer un commentaire