[wp-hackers] Security at Wordpress

Elliotte Harold elharo at metalab.unc.edu
Mon Apr 24 15:06:23 GMT 2006

Owen Winkler wrote:

> I find little practical use for the proposed sweeping changes to POST 
> actions, since the only gain we would make is tenuous standards support, 
> which according to the excerpts you provided, we already achieve.

There are two major open security holes that would never have happened 
if WordPress used POST instead of GET, and you see little gain?

There are entire sites that have been deleted by spiders and web 
accelerators because they used GET where they should have used POST, and 
you see little gain?

There's a lot more going on here than an obsessive concern with 
standards support. The safety of GET isn't a dusty corner of the HTTP 
spec. It's a core principle of HTTP, and anyone who violates it does so 
at their peril. I strongly suspect the two bugs uncovered so far are not 
the last problems to surface from this mistake.

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list