[wp-hackers] Security at Wordpress

Owen Winkler ringmaster at midnightcircus.com
Mon Apr 24 16:02:46 GMT 2006

Ryan Scheuermann wrote:
> I mean, using a checkbox form for post delete solves a lot of the 
> current issues:

> 3. no need for nonces if the delete action requires POST

Using POST does not obviate nonces or referer checks.  If someone were 
to create a form on a different site that POSTed the right info to the 
page that deletes your posts, and then tricked you into clicking it 
somehow, it would delete the posts.  And we're talking about deleting 
more than one post now?  Yikes.  Yes, it would work with just the 
referer check, but then that form would only work in environments that 
support the referer.  That is what the nonces are for, to replace 
referer checks with something more available.

Using POST does not obviate nonces or referer checks.

> 5. adds new functionality for mass delete of posts (even if not needed)

Oops.  I just accidentally deleted <s>that one post</s> *everything*. 
Oh, dear.
Time to revisit this:

> 7. follows a widely accepted and user-friendly model for web applications

It also makes it very difficult to insert new per-row POST forms, if 
that's something we might ever consider in the future.  As unlikely as 
that might be.  Although, I do remember code around in one of these 
tables that let you add new columns in a clever way.  Might have been 
the Manage Posts page.


More information about the wp-hackers mailing list