[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Peter Westwood peter.westwood at ftwr.co.uk
Fri Mar 2 14:55:20 GMT 2007

Elliotte Harold wrote:
> Peter Westwood wrote:
>> How does switching to POST over GET remove the possibility of security 
>> holes?  They are both just as exploitable from a security point of 
>> view if they are not given protection.
> GET is supposed to be a safe operation. Users are supposed to be able to 
> follow links without worrying about doing things. In WP, they can't. 
> This leads to various XSS issues and cracks. It's too easy to get the 
> admin to follow a link, Indeed this can happen without any explicit user 
> request at all.
> POST is not which is why it can't be linked to, bookmarked, prefetched, 
> used to grab an image, etc.

Yes but if I can convince you to click on a link that takes you to your 
blogs admin then I can just as likely convince you to click on a form 
post button that does the same.

That is why both methods _need_ the nonces (or something else like 
referrer checking which isn't as good as the nonces) to prevent the XSS 
issues and cracks.

Switching to POST from GET does not protect against the issues - it just 
makes them slightly harded to exploit - i.e. you can't easily exploit a 
POST issue without user interaction which you can with a GET issue by 
virtue of using an IMG tag to perform the exploit.

> The issue of using JavaScript to POST without user intervention is an 
> interesting question. I need to explore it further. I'm not sure it's 
> possible, but I'm not sure it isn't either. I suspect the answer may lie 
> in which servers the JavaScript is allowed to talk to, but I'm not a 
> JavaScript expert so I'm not yet sure.

I don't see this as relavent to the issue at hand really.

POST is not more secure than GET.

Believing so leads to a false sense of security.

Peter Westwood

More information about the wp-hackers mailing list