[wp-hackers] Security at Wordpress

David House dmhouse at gmail.com
Mon Apr 24 20:50:52 GMT 2006

On 24/04/06, Mike Little <mike at zed1.com> wrote:
> Allegedly, POST plus referrer check can still be circumvented, though
> I do not understand how. Yes, you can fool an admin into clicking on a
> link which will take him to a page with an evil form, but even if you
> get *that* page to auto submit, the form's referrer would be itself,
> not an admin page.

No, that's not what I claimed. I said that if we switched to POST
actions, we'd still need nonces OR a referer check, and as referer
checks are easily missed and an annoyance to those firewalled, nonces
are the way forward.

Just to clarify.

-David House, dmhouse at gmail.com, http://xmouse.ithium.net

More information about the wp-hackers mailing list