[wp-hackers] Security at Wordpress

Mike Little mike at zed1.com
Mon Apr 24 20:30:10 GMT 2006


On 4/24/06, David House <dmhouse at gmail.com> wrote:
> On 24/04/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> > Using POST does not obviate nonces or referer checks.
>
> Lets just re-iterate that, folks.
>
> > Using POST does not obviate nonces or referer checks.
>
> One more time with feeling.
>
> > Using POST does not obviate nonces or referer checks.
>
> A little aside for anyone who doesn't understand the attack vector:

The example exploit, that works NOW, *with* referrer check,
demonstrated by Brian, *would not* work if delete was a POST.  That is
why some people got so heated about POST vs GET. It is demonstrably
safer, right now.
Not completely safe*, true, but safe from the existing exploit!

Allegedly, POST plus referrer check can still be circumvented, though
I do not understand how. Yes, you can fool an admin into clicking on a
link which will take him to a page with an evil form, but even if you
get *that* page to auto submit, the form's referrer would be itself,
not an admin page.

Unlike the GET attack which can be in your admin comments page, there
is no way to get an evil form in an Admin page, apart from authorised
users who can do any number of evil things.


Mike
--
Mike Little
http://zed1.com/


More information about the wp-hackers mailing list