[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 11:03:21 GMT 2006

Matt Mullenweg wrote:

> If the best an attacker can do is embed a link in a comment or email and 
> hope you click on it, then we've succeeded. At some point we have to 
> stop punishing normal users for the extreme edge cases.

No, If that's possible, you've made a classic mistake. Clicking the link 
should not take any action. That's the difference between GET and POST:


It's easy to fix. You just need to make sure that all actions take place 
through POST, not GET, regardless of URL. This wouldn't punish anybody.

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list