[wp-hackers] Rethinking check_admin_referer()

Rob r at robm.me.uk
Mon Apr 17 17:19:29 GMT 2006

John Joseph Bachir wrote:
> I have had neither coffee nor lunch yet today so maybe I am forgetting 
> something obvious, but: isn't the biggest problem with with security 
> through referer checks that referers can be trivially spoofed from the 
> client side? Or to put it another way, the http client has the option 
> of supplying an arbitrary referer string?
> John
> ----
> aim/yim/msn/jabber.org: johnjosephbachir
> 713.494.2704
> irc://irc.freenode.net/lyceum
> http://lyceum.ibiblio.org/
> http://blog.johnjosephbachir.org/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
Not really, since the attack vector here requires an attacker to have a 
logged-in user make the request, thus removing any possibility of them 
manipulating the HTTP headers, and therefore spoofing the referrer, 
since all the requests will be done from the client's end.

Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/

More information about the wp-hackers mailing list