[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 16:26:19 GMT 2006

Owen wrote:
> Using POST does not obviate nonces or referer checks.  If someone were 
> to create a form on a different site that POSTed the right info to the 
> page that deletes your posts, and then tricked you into clicking it 
> somehow, it would delete the posts.  And we're talking about deleting 
> more than one post now?  Yikes.  Yes, it would work with just the 
> referer check, but then that form would only work in environments that 
> support the referer.  That is what the nonces are for, to replace 
> referer checks with something more available.
> Using POST does not obviate nonces or referer checks.
> Owen
I do think having nonces would be beneficial for security 
authentication, but only implementing nonces to patch something that 
could be fixed with a simple POST vs GET solution does seems like 
overkill.  And (I'm not taking /his/ side but) who knows, doing deletes 
on a GET request may present even more problems down the road that we 
aren't foreseeing now - even with nonces implemented. 

Nonces are a big step and require a lot of testing and code rework.  I 
know that's already in the works, but simply replacing a delete link 
with a checkbox-based POST form seems a lot less "involved" to me - and 
does seem like the /right/ way of doing things.  But I don't know, I 
can't see all the /problems/ with using a checkbox form yet.  Forgive me 
if I sound like I'm attacking, I'm really not.  I promise.  :-)


More information about the wp-hackers mailing list