[wp-hackers] Rethinking check_admin_referer()

David Chait davebytes at comcast.net
Thu Apr 20 15:44:25 GMT 2006

Owen wrote:
| ii) Security - The system is not impenetrable.  If an unfiltered URL to
| an admin page that deletes things appears /within/ the admin (such as a
| link in a comment from the comment moderation page), and the admin
| inadvertently clicks on it, it will trigger the deletion.

questions from this:

1. why aren't we already filtering ALL URLs that exist within posts or 
comments that contain 'wp-admin/', et al?  At the least, munge such links 
within the admin interface...  Wouldn't that remove some aspects of this 
attack vector?  Or turn links into non-clickable text (I'll copy-paste to my 
browser if it avoids security issues!  I do this daily with urls in emails 

2. the a CSRF example is much scarier.  I look at a link-hover in the status 
bar, it looks like a valid jpg link, but the thing ends up doing a redirect 
back to me with something malicious.  I can see how Nonces or other hash 
would hopefully eliminate this case.

| If we do anything at all, it should be c with b-2.

I'll buy that.  So long as the "AYS" stuff is included.

I have more thoughts, will fork a different topic... ;)


More information about the wp-hackers mailing list