[wp-hackers] Re: wp-hackers Digest, Vol 25, Issue 18
Edward Z. Yang
edwardzyang at thewritingpot.com
Wed Feb 14 11:57:21 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom Barta wrote:
> Per the HTTP RFC(s), GET requests are supposed to be idempotent.
> Technically, this means that GETting a URL any number of times will
> have identical side effects to getting it once. In practice, this
> usually means that GET requests have no long-standing side-effects.
> If admin pages operate on a POST -> redirect -> GET pattern, then we
> get several advantages:
> - A web browser's back/forward operations won't ever trigger a
> duplicate action (since browser history skips over the redirected
> POSTs)
> - A web browser won't prompt the user to re-submit POSTed data,
> because no POSTed page ever produces output.
That's correct. Also remember that cache accelerators, which preload
links on a page, won't accidently trigger actions.
> However, I don't know that this by itself will stop XSS attacks. A
> link could simply have a javascript action to create and submit an
> arbitrary form as a post. I do know there are a lot of places (see
> http://trac.wordpress.org/ticket/3279) where Wordpress doesn't
> properly escape its output, and every one of them is a potential
> entrypoint for attacks.
JavaScript can cause an arbitrary GET/POST request on any page on the
web. Nonces effectively guard against them though, because due to
same-domain restrictions there's no way for the malicious code to find
out the nonce unless their on the same domain.
It would be really cool if WordPress had a framework that automatically
did noncing for you for all core actions. And, of course, XSS is always
a problem too (though, most of the time, fixing that is just adding an
appropriate htmlspecialchars().
- --
Edward Z. Yang Personal: edwardzyang at thewritingpot.com
SN:Ambush Commander Website: http://www.thewritingpot.com/
GPGKey:0x869C48DA http://www.thewritingpot.com/gpgpubkey.asc
3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF0vkhqTO+fYacSNoRAgtNAJ43ryLAQDD6tDaNZBqKPGooJO4v6wCggMJV
+crrXMxARkuuzs3VoTDDdxo=
=eyvV
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list