[wp-hackers] Rethinking check_admin_referer()
Mark Jaquith
mark.wordpress at txfx.net
Mon Apr 17 08:15:05 GMT 2006
On Apr 17, 2006, at 4:03 AM, Paul Mitchell wrote:
> The simple solution is a Personal Identification Number.
>
> All administrative users may enter a PIN on their profile. WP
> automatically appends it to every administrative command URL it
> generates (e.g. &action=deletepost&PIN=1234). On the flip-side, WP
> checks the incoming PIN on the command URL against that of the
> logged-in
> administrator and, on a mismatch, refuses the command and records the
> attempt.
That's basically a simplified version of what I was suggesting... but
for POSTs. We shouldn't be performing DB-changing tasks on GET
requests. Additionally, the hash I'm suggesting would be automatic,
and optionally unique to the unique action being performed and object
being manipulated. But if Matt's right about an attacker being able
to extract the key/PIN, they're both useless...
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list