[wp-hackers] Rethinking check_admin_referer()
Elliotte Harold
elharo at metalab.unc.edu
Sat Apr 22 11:58:03 GMT 2006
Robert Deaton wrote:
> Like I said before, people with access to your blog should be "trusted
> users" as someone said earlier. If you can't trust the users on your
> blog, you have bigger issues at hand.
>
Insider attacks still account for a large portion of successful and
sometimes undetected cracks. Privileges are important. Authors I trust
to write their own articles and submit drafts should not be trusted to
publish drafts. Editors I trust to edit and approve articles shouldn't
be trusted to edit the blog's theme.
Security professionals gave up on the idea of trusting everyone on a
system so many decades ago I don't even remember when. Different users
have different levels of trust. The system should not enable a user to
escalate their privileges unilaterally.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list