[wp-hackers] Rethinking check_admin_referer()

[Andy Skelton]

On 4/17/06, Paul Mitchell <wp-hackers at paul-mitchell.me.uk> wrote:
> Command URLs could only then be forged if the attacker knows the
> administrator's PIN, which can be changed at will. The administrator
> sees and feels nothing different.

The URL is the most-often logged piece of an HTTP request. I wouldn't
feel good about that kind of security unless it were over HTTPS.

Andy