[wp-hackers] Enable Sending Referrers

David House dmhouse at gmail.com
Mon Aug 15 15:26:42 GMT 2005


On 14/08/05, Denis de Bernardy <denis at semiologic.com> wrote:
> I'd be curious to know the rational behind this defense mechanism. Like,
> isn't it trivial to fake the referrer?
> 
> D.

Someone posts a comment on your website. They link to a related post,
say. As you allow HTML (or Markdown, Textile) in your comments, the
link text isn't just the URL. You click the link, semi-interested.
Oops, suddenly you're taken to a page in your own admin and a little
box says 'Post deleted'. Hey? What?

As WP does things like deleting comments and posts using GET instead
of POST, those with malicious intent can post links that, when clicked
by an authorised user, could delete comments or posts. It's therefore
necessary to check that the referer came from an admin page. I.e., you
clicked the link from inside the admin, presumably on a 'confirm
delete comment/post' page.

Of course, all that doesn't help if you're reading the comments from
inside your admin to begin with...

-- 
-David House, dmhouse at gmail.com, http://xmouse.ithium.net


More information about the wp-hackers mailing list