[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Wed Apr 19 17:42:33 GMT 2006


On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Robert Deaton wrote:
>
> >> It's easy to fix. You just need to make sure that all actions take place
> >> through POST, not GET, regardless of URL. This wouldn't punish anybody.
> >
> > A link with embedded javascript in an e-mail will easily bypass this,
> > its not so easy to fix.
> >
>
> That's hard to believe. Are users (and more importantly e-mail vendors)
> really so clueless about web security and HTTP that this is possible?

Yes.

--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list