[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Tue Apr 18 23:30:16 GMT 2006

On 4/18/06, Brian Layman <Brian at thecodecave.com> wrote:
> which means the attacker reverts to using Javascript, or entices the victim
> to click on an image that's acting as a submit control in a <form>.
> Requiring POST raises the bar, but doesn't really fix the problem.
> So, it seems to be a fairly simple thing to update the post vars by using
> JavaScript inside the link.  It makes sense that it would be, but I haven't
> tried any of this from this context.  I'll have to build a few test pages
> when I get a chance...

With KSES, this should be a non-issue.

--Robert Deaton

More information about the wp-hackers mailing list