[wp-hackers] Rethinking check_admin_referer()

Paul Mitchell wp-hackers at paul-mitchell.me.uk
Mon Apr 17 08:03:14 GMT 2006


As I understand it, the problem is that command URLs to the
administrative interface can be forged because they contain nothing
secret. The simple solution is a Personal Identification Number.

All administrative users may enter a PIN on their profile. WP
automatically appends it to every administrative command URL it
generates (e.g. &action=deletepost&PIN=1234). On the flip-side, WP
checks the incoming PIN on the command URL against that of the logged-in
administrator and, on a mismatch, refuses the command and records the

Command URLs could only then be forged if the attacker knows the
administrator's PIN, which can be changed at will. The administrator
sees and feels nothing different.

This seems "slap-forehead" simple, and it's early, so I could be talking
bollocks. :)

Paul Mitchell, Coding and Crafting Quality Software

More information about the wp-hackers mailing list