[wp-hackers] Re: wp-hackers Digest, Vol 25, Issue 18

Tom Barta tbarta at gmail.com
Wed Feb 14 05:49:27 GMT 2007

Elliotte Harold wrote:
> Alex Günsche wrote:
> > With the same arguments, you could say that other managing actions which
> > are triggered by a GET request are vulnerable to XSS attacks.
> Very possibly they are. Managing actions should not be triggered by GET
> requests. Full stop.
> I doubt we've seen the last or the worst of these attacks.

I agree on both cases:

Per the HTTP RFC(s), GET requests are supposed to be idempotent.
Technically, this means that GETting a URL any number of times will
have identical side effects to getting it once.  In practice, this
usually means that GET requests have no long-standing side-effects.
If admin pages operate on a POST -> redirect -> GET pattern, then we
get several advantages:
 - A web browser's back/forward operations won't ever trigger a
duplicate action (since browser history skips over the redirected
 - A web browser won't prompt the user to re-submit POSTed data,
because no POSTed page ever produces output.

However, I don't know that this by itself will stop XSS attacks.  A
link could simply have a javascript action to create and submit an
arbitrary form as a post.  I do know there are a lot of places (see
http://trac.wordpress.org/ticket/3279) where Wordpress doesn't
properly escape its output, and every one of them is a potential
entrypoint for attacks.

Tom Barta

More information about the wp-hackers mailing list