[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Wed Apr 19 05:24:27 GMT 2006

Sam Angove wrote:
> The best answer is for them to remove their anti-CSRF security
> completely? The solution is to get a better lock, not leave the door
> open.

Yes. These aren't doors and locks. It's more like taking your shoes off 
at airport security. The chances of anyone having something bad in their 
shoes is infinitesimal, and it mostly serves to make people feel better.

If one person is allowed to walk through with their shoes on (as people 
were allowed to for years) the security of airport isn't compromised.

Important problems are ones that are easily scriptable into worms: SQL 
injection, arbitrary PHP code execution, site defacing, etc.

Our first and best line of defense is always going to be around how we 
filter and display submitted HTML. This can also be easily tightened up 
without compromising the user experience.

> I think the reason you can't find anything is because there's nothing
> to find. A working exploit would be big news. Here's a relevant
> Crypto-Gram article[1]. ;)

Just as Douglas Crockford deemphasized JSON for years because of the 
troubling security implications, many of the brightest minds in a given 
field are not interested in the "glory" of creating a fuss on bugtraq 
and their ilk.

> How are users being punished? The worst case for them should be the
> occasional "are you sure you want to do this?" confirmation page,
> which is *better* than the current "wrong referrer" die().

Are you sure you want an answer? [ OK ] [ Cancel ]

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list