[wp-hackers] Rethinking check_admin_referer()
elharo at metalab.unc.edu
Wed Apr 19 19:16:46 GMT 2006
Brian Layman wrote:
> With a WP 2.02 blog, I was able to delete posts without any
> indication to the administrator that it had happened. Using the same
> method, I was able to delete all tracks I'd left behind.
This would be easier to understand if I could see the exploit (security
by obscurity: 1 out of 2 ain't bad) but let's see if I get what you're
1. You have a default install of WordPress 2.0.2. Call this FOO Blog.
2. You set up a form on another, unrelated site. Call this BAR site.
3. Someone logged into FOO blog as an administrator visits BAR site.
They manually activate your form.
4. This silently deletes a post from FOO blog without the administrator
being immediately aware that's what happened.
Is this correct? If not, what part of this scenario is incorrect?
Does step 3 use GET or POST?
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
More information about the wp-hackers