[wp-hackers] Re: wp-hackers Digest, Vol 25, Issue 18

Edward Z. Yang edwardzyang at thewritingpot.com
Wed Feb 14 11:57:21 GMT 2007

Hash: SHA1

Tom Barta wrote:
> Per the HTTP RFC(s), GET requests are supposed to be idempotent.
> Technically, this means that GETting a URL any number of times will
> have identical side effects to getting it once.  In practice, this
> usually means that GET requests have no long-standing side-effects.
> If admin pages operate on a POST -> redirect -> GET pattern, then we
> get several advantages:
> - A web browser's back/forward operations won't ever trigger a
> duplicate action (since browser history skips over the redirected
> POSTs)
> - A web browser won't prompt the user to re-submit POSTed data,
> because no POSTed page ever produces output.

That's correct. Also remember that cache accelerators, which preload
links on a page, won't accidently trigger actions.

> However, I don't know that this by itself will stop XSS attacks.  A
> link could simply have a javascript action to create and submit an
> arbitrary form as a post.  I do know there are a lot of places (see
> http://trac.wordpress.org/ticket/3279) where Wordpress doesn't
> properly escape its output, and every one of them is a potential
> entrypoint for attacks.

JavaScript can cause an arbitrary GET/POST request on any page on the
web. Nonces effectively guard against them though, because due to
same-domain restrictions there's no way for the malicious code to find
out the nonce unless their on the same domain.

It would be really cool if WordPress had a framework that automatically
did noncing for you for all core actions. And, of course, XSS is always
a problem too (though, most of the time, fixing that is just adding an
appropriate htmlspecialchars().

- --
 Edward Z. Yang      Personal: edwardzyang at thewritingpot.com
 SN:Ambush Commander Website: http://www.thewritingpot.com/
 GPGKey:0x869C48DA   http://www.thewritingpot.com/gpgpubkey.asc
 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the wp-hackers mailing list