[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 19:16:46 GMT 2006

Brian Layman wrote:

>  With a WP 2.02 blog, I was able to delete posts without any
> indication to the administrator that it had happened. Using the same
> method, I was able to delete all tracks I'd left behind.  

This would be easier to understand if I could see the exploit (security 
by obscurity: 1 out of 2 ain't bad) but let's see if I get what you're 

1. You have a default install of WordPress 2.0.2. Call this FOO Blog.

2. You set up a form on another, unrelated site. Call this BAR site.

3. Someone logged into FOO blog as an administrator visits BAR site. 
They manually activate your form.

4. This silently deletes a post from FOO blog without the administrator 
being immediately aware that's what happened.

Is this correct? If not, what part of this scenario is incorrect?

Does step 3 use GET or POST?

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list