[wp-hackers] Rethinking check_admin_referer()
Matt Mullenweg
m at mullenweg.com
Wed Apr 19 17:34:10 GMT 2006
Robert Deaton wrote:
>> It's easy to fix. You just need to make sure that all actions take place
>> through POST, not GET, regardless of URL. This wouldn't punish anybody.
>
> A link with embedded javascript in an e-mail will easily bypass this,
> its not so easy to fix.
This has been brought up many times before.
<form method="post" action="http://example.com/wp-admin/delete-all.php">
<input type="submit" name="Submit" value="Click Here" />
for a free iPod!
</form>
That said, there are some places we're using GET gratuitously.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers
mailing list