[wp-hackers] Rethinking check_admin_referer()
elharo at metalab.unc.edu
Wed Apr 19 11:03:21 GMT 2006
Matt Mullenweg wrote:
> If the best an attacker can do is embed a link in a comment or email and
> hope you click on it, then we've succeeded. At some point we have to
> stop punishing normal users for the extreme edge cases.
No, If that's possible, you've made a classic mistake. Clicking the link
should not take any action. That's the difference between GET and POST:
It's easy to fix. You just need to make sure that all actions take place
through POST, not GET, regardless of URL. This wouldn't punish anybody.
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
More information about the wp-hackers