[wp-hackers] Rethinking check_admin_referer()

David House dmhouse at gmail.com
Mon Apr 17 19:04:26 GMT 2006

On 17/04/06, John Joseph Bachir <jjb at ibiblio.org> wrote:
> I have had neither coffee nor lunch yet today so maybe I am forgetting
> something obvious, but: isn't the biggest problem with with security
> through referer checks that referers can be trivially spoofed from the
> client side? Or to put it another way, the http client has the option of
> supplying an arbitrary referer string?

Yes they are, but admin referers are to protect admins from themselves (ish).

A malicious commentor leaves a comment saying "hey, nice post, here's
[my reponse]" with a link to what appears to be their site but is in
fact something like
http://yoursite.com/wp-admin/post.php?action=delete&post=123. Before
you know it, you've just deleted post 123. Oops. This can be done with
images as well, so you don't even have to click anything.

-David House, dmhouse at gmail.com, http://xmouse.ithium.net

More information about the wp-hackers mailing list