[wp-hackers] Rethinking check_admin_referer()
Robert Deaton
false.hopes at gmail.com
Tue Apr 18 23:30:16 GMT 2006
On 4/18/06, Brian Layman <Brian at thecodecave.com> wrote:
> which means the attacker reverts to using Javascript, or entices the victim
> to click on an image that's acting as a submit control in a <form>.
> Requiring POST raises the bar, but doesn't really fix the problem.
>
> So, it seems to be a fairly simple thing to update the post vars by using
> JavaScript inside the link. It makes sense that it would be, but I haven't
> tried any of this from this context. I'll have to build a few test pages
> when I get a chance...
With KSES, this should be a non-issue.
--
--Robert Deaton
http://somethingunpredictable.com
More information about the wp-hackers
mailing list