[wp-trac] [WordPress Trac] #30742: admin-ajax.php should only execute for browser traffic
WordPress Trac
noreply at wordpress.org
Wed Dec 17 11:05:56 UTC 2014
#30742: admin-ajax.php should only execute for browser traffic
----------------------------+----------------------
Reporter: WebsitesbyMark | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 4.0.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
----------------------------+----------------------
Changes (by mdgl):
* status: reopened => closed
* resolution: => invalid
Comment:
Hello Mark, function `get_browser()` just looks up browser capabilities in
a local database, normally using the HTTP request header `User-Agent`
which you can obtain from `$_SERVER['HTTP_USER_AGENT']`.
Unfortunately, there is nothing to stop a hacker or malicious script from
supplying any value of `User-Agent` to impersonate a particular browser
application. This happens quite often and browsers are also known to
impersonate each other! See the section on "User agent spoofing" at
http://en.wikipedia.org/wiki/User_agent.
It is not therefore possible to determine whether a particular HTTP
request is made by a human through a browser in this way.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30742#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list