[wp-hackers] Rethinking check_admin_referer()
false.hopes at gmail.com
Wed Apr 19 17:28:38 GMT 2006
On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Matt Mullenweg wrote:
> > If the best an attacker can do is embed a link in a comment or email and
> > hope you click on it, then we've succeeded. At some point we have to
> > stop punishing normal users for the extreme edge cases.
> No, If that's possible, you've made a classic mistake. Clicking the link
> should not take any action. That's the difference between GET and POST:
> It's easy to fix. You just need to make sure that all actions take place
> through POST, not GET, regardless of URL. This wouldn't punish anybody.
its not so easy to fix.
More information about the wp-hackers