[wp-hackers] Rethinking check_admin_referer()
Brian at TheCodeCave.com
Tue Apr 18 22:03:30 GMT 2006
Andy Skelton wrote:
>> On 4/18/06, David House <dmhouse at gmail.com> wrote:
>> POST method would fix this. Somebody remind me why we are using GET.
> Indeed it would.
That seems like a fairly major methodology change that could break a lot of
stuff, even though you'd be limiting it to the units that currently have an
embedded referrer check. Additionally, it would not completely solve the
I'll quote that article I linked to earlier: (I don't have the original link
at the moment, but the text is here: http://www.thecodecave.com/csrf.txt)
> How can it be fixed? Well, there are a couple of ways to stop it, but the
> easiest (in PHP at least) seems to be to have most of the variables used
> scripts be used through $HTTP_POST_VARS. So instead of checking for
> in a script, $HTTP_POST_VARS['action'] would be checked. This forces the
> user to use a POST request, not a GET.
to click on an image that's acting as a submit control in a <form>.
Requiring POST raises the bar, but doesn't really fix the problem.
So, it seems to be a fairly simple thing to update the post vars by using
tried any of this from this context. I'll have to build a few test pages
when I get a chance...
More information about the wp-hackers