[wp-hackers] Rethinking check_admin_referer()

Andy Skelton skeltoac at gmail.com
Mon Apr 17 08:10:34 GMT 2006

On 4/17/06, Paul Mitchell <wp-hackers at paul-mitchell.me.uk> wrote:
> Command URLs could only then be forged if the attacker knows the
> administrator's PIN, which can be changed at will. The administrator
> sees and feels nothing different.

The URL is the most-often logged piece of an HTTP request. I wouldn't
feel good about that kind of security unless it were over HTTPS.


More information about the wp-hackers mailing list