[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 17:34:52 GMT 2006


Robert Deaton wrote:

>> It's easy to fix. You just need to make sure that all actions take place
>> through POST, not GET, regardless of URL. This wouldn't punish anybody.
> 
> A link with embedded javascript in an e-mail will easily bypass this,
> its not so easy to fix.
> 

That's hard to believe. Are users (and more importantly e-mail vendors) 
really so clueless about web security and HTTP that this is possible?

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim


More information about the wp-hackers mailing list