[wp-hackers] Rethinking check_admin_referer()
false.hopes at gmail.com
Wed Apr 19 19:36:37 GMT 2006
On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> This would be easier to understand if I could see the exploit (security
> by obscurity: 1 out of 2 ain't bad) but let's see if I get what you're
> 1. You have a default install of WordPress 2.0.2. Call this FOO Blog.
> 2. You set up a form on another, unrelated site. Call this BAR site.
> 3. Someone logged into FOO blog as an administrator visits BAR site.
> They manually activate your form.
> 4. This silently deletes a post from FOO blog without the administrator
> being immediately aware that's what happened.
> Is this correct? If not, what part of this scenario is incorrect?
At the moment, this is not possible, the http referer check stops this
from happening. We're discussing alternates to the referer check that
will not require sending referers but will offer the same protection.
More information about the wp-hackers