[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Wed Apr 19 17:28:38 GMT 2006


On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Matt Mullenweg wrote:
>
> > If the best an attacker can do is embed a link in a comment or email and
> > hope you click on it, then we've succeeded. At some point we have to
> > stop punishing normal users for the extreme edge cases.
>
>
> No, If that's possible, you've made a classic mistake. Clicking the link
> should not take any action. That's the difference between GET and POST:
>
> http://cafe.elharo.com/web/rest-mistake-1-confirming-gets/
>
> It's easy to fix. You just need to make sure that all actions take place
> through POST, not GET, regardless of URL. This wouldn't punish anybody.

A link with embedded javascript in an e-mail will easily bypass this,
its not so easy to fix.

--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list