[wp-hackers] Rethinking check_admin_referer()
Elliotte Harold
elharo at metalab.unc.edu
Wed Apr 19 19:16:46 GMT 2006
Brian Layman wrote:
> With a WP 2.02 blog, I was able to delete posts without any
> indication to the administrator that it had happened. Using the same
> method, I was able to delete all tracks I'd left behind.
This would be easier to understand if I could see the exploit (security
by obscurity: 1 out of 2 ain't bad) but let's see if I get what you're
doing:
1. You have a default install of WordPress 2.0.2. Call this FOO Blog.
2. You set up a form on another, unrelated site. Call this BAR site.
3. Someone logged into FOO blog as an administrator visits BAR site.
They manually activate your form.
4. This silently deletes a post from FOO blog without the administrator
being immediately aware that's what happened.
Is this correct? If not, what part of this scenario is incorrect?
Does step 3 use GET or POST?
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list