[wp-hackers] Rethinking check_admin_referer()

John Joseph Bachir jjb at ibiblio.org
Thu Apr 20 17:12:04 GMT 2006

On Fri, 21 Apr 2006, Sam Angove wrote:

> It's a worry if users without referrers are directed to disable the 
> check, since it leaves them open to dangerous links or forms from 
> anywhere around the web, not just their own admin.
> Using tokens also provides protection in case of an exploit using <img 
> src="[evil]" /> or similar, which is of much more cause for concern than 
> a malicious link. I'll be shocked if there's no-one who's enabled 
> posting of images in comments.

Not to toot my own horn but... this problem is solved and implemented in 
Lyceum, using a security token for every administrative action, which 
results in an identical user experience to wordpress, and allows for 
usage of post or get requests as desired by the programmer. Is there 
anything about this solution that folks don't like?

aim/yim/msn/jabber.org: johnjosephbachir

More information about the wp-hackers mailing list