[wp-hackers] Rethinking check_admin_referer()

Brian Layman Brian at TheCodeCave.com
Tue Apr 18 22:03:30 GMT 2006

Andy Skelton wrote:
>> On 4/18/06, David House <dmhouse at gmail.com> wrote:
>> POST method would fix this. Somebody remind me why we are using GET.
> Indeed it would.

That seems like a fairly major methodology change that could break a lot of
stuff, even though you'd be limiting it to the units that currently have an
embedded referrer check.  Additionally, it would not completely solve the

I'll quote that article I linked to earlier: (I don't have the original link
at the moment, but the text is here: http://www.thecodecave.com/csrf.txt)

> How can it be fixed? Well, there are a couple of ways to stop it, but the
> easiest (in PHP at least) seems to be to have most of the variables used
> scripts be used through $HTTP_POST_VARS. So instead of checking for
> in a script, $HTTP_POST_VARS['action'] would be checked. This forces the
> user to use a POST request, not a GET. 

which means the attacker reverts to using Javascript, or entices the victim
to click on an image that's acting as a submit control in a <form>. 
Requiring POST raises the bar, but doesn't really fix the problem.

So, it seems to be a fairly simple thing to update the post vars by using
JavaScript inside the link.  It makes sense that it would be, but I haven't
tried any of this from this context.  I'll have to build a few test pages
when I get a chance...

More information about the wp-hackers mailing list