[wp-hackers] Security at Wordpress
John Joseph Bachir
jjb at ibiblio.org
Mon Apr 24 17:12:35 GMT 2006
On Mon, 24 Apr 2006, John Joseph Bachir wrote:
> Just on the subject of nonces and POST... even if all side-effect
> actions used POST, there are still security vulnerabilities that a nonce
> system will defeat. One example is making a webpage that looks just like
> the admin interface but isn't, and then using social engineering to get
> the victim (who has an authorization cookie) to use the impostor form.
> (checking admin referers also defeats some or all of these cases as
> well)
Whoops, just saw that Owen already mentioned this 10 emails back :)
John
----
aim/yim/msn/jabber.org: johnjosephbachir
713.494.2704
irc://irc.freenode.net/lyceum
http://lyceum.ibiblio.org/
http://blog.johnjosephbachir.org/
More information about the wp-hackers
mailing list