[wp-hackers] Rethinking check_admin_referer()

Mark Jaquith mark.wordpress at txfx.net
Mon Apr 17 08:15:05 GMT 2006

On Apr 17, 2006, at 4:03 AM, Paul Mitchell wrote:

> The simple solution is a Personal Identification Number.
> All administrative users may enter a PIN on their profile. WP
> automatically appends it to every administrative command URL it
> generates (e.g. &action=deletepost&PIN=1234). On the flip-side, WP
> checks the incoming PIN on the command URL against that of the  
> logged-in
> administrator and, on a mismatch, refuses the command and records the
> attempt.

That's basically a simplified version of what I was suggesting... but  
for POSTs.  We shouldn't be performing DB-changing tasks on GET  
requests.  Additionally, the hash I'm suggesting would be automatic,  
and optionally unique to the unique action being performed and object  
being manipulated.  But if Matt's right about an attacker being able  
to extract the key/PIN, they're both useless...

Mark Jaquith

More information about the wp-hackers mailing list