[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Mon Apr 17 16:30:31 GMT 2006

On 4/17/06, John Joseph Bachir <jjb at ibiblio.org> wrote:
> I have had neither coffee nor lunch yet today so maybe I am forgetting
> something obvious, but: isn't the biggest problem with with security
> through referer checks that referers can be trivially spoofed from the
> client side? Or to put it another way, the http client has the option of
> supplying an arbitrary referer string?

Without a cookie, that doesn't really matter at this stage of the
game, we're assuming that the user's cookie hasn't been stolen, if it
has, the fact that referers can be spoofed is trivial then as well,
considering that with a cookie you can just log right in. Checking
referers here is not the security issue, its a convenience issue,
because more and more people are disabling referer sending, whether it
be voluntary, firewalls, Norton, etc.

> John
> ----
> aim/yim/msn/jabber.org: johnjosephbachir
> 713.494.2704
> irc://irc.freenode.net/lyceum
> http://lyceum.ibiblio.org/
> http://blog.johnjosephbachir.org/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--Robert Deaton

More information about the wp-hackers mailing list