[wp-hackers] Rethinking check_admin_referer()

Michael D. Adams mikea at turbonet.com
Wed Apr 19 01:05:22 GMT 2006

> On 4/18/06, Brian Layman <Brian at thecodecave.com> wrote:
> which means the attacker reverts to using Javascript, or entices the victim
> to click on an image that's acting as a submit control in a <form>.
> Requiring POST raises the bar, but doesn't really fix the problem.

Perhaps we already are, but let's get this thread back on track.  Mark
wasn't discussing the security problems with the current scheme (which are
not insurmountable [1]), but the convenience problems.

[1] http://codex.wordpress.org/User:MDAWaffe/referers


PS: Not directed at anyone in particular.  Rather, equally applicable to
myself as any other.

More information about the wp-hackers mailing list