[wp-hackers] Rethinking check_admin_referer()
false.hopes at gmail.com
Wed Apr 19 17:42:33 GMT 2006
On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Robert Deaton wrote:
> >> It's easy to fix. You just need to make sure that all actions take place
> >> through POST, not GET, regardless of URL. This wouldn't punish anybody.
> > its not so easy to fix.
> That's hard to believe. Are users (and more importantly e-mail vendors)
> really so clueless about web security and HTTP that this is possible?
More information about the wp-hackers