[wp-hackers] Security at Wordpress
Ryan Scheuermann
ryan at concept64.com
Mon Apr 24 16:26:19 GMT 2006
Owen wrote:
> Using POST does not obviate nonces or referer checks. If someone were
> to create a form on a different site that POSTed the right info to the
> page that deletes your posts, and then tricked you into clicking it
> somehow, it would delete the posts. And we're talking about deleting
> more than one post now? Yikes. Yes, it would work with just the
> referer check, but then that form would only work in environments that
> support the referer. That is what the nonces are for, to replace
> referer checks with something more available.
>
> Using POST does not obviate nonces or referer checks.
>
> Owen
>
I do think having nonces would be beneficial for security
authentication, but only implementing nonces to patch something that
could be fixed with a simple POST vs GET solution does seems like
overkill. And (I'm not taking /his/ side but) who knows, doing deletes
on a GET request may present even more problems down the road that we
aren't foreseeing now - even with nonces implemented.
Nonces are a big step and require a lot of testing and code rework. I
know that's already in the works, but simply replacing a delete link
with a checkbox-based POST form seems a lot less "involved" to me - and
does seem like the /right/ way of doing things. But I don't know, I
can't see all the /problems/ with using a checkbox form yet. Forgive me
if I sound like I'm attacking, I'm really not. I promise. :-)
Ryan
More information about the wp-hackers
mailing list