[wp-hackers] Rethinking check_admin_referer()

Sam Angove sam at rephrase.net
Thu Apr 20 14:26:38 GMT 2006


On 4/20/06, David House <dmhouse at gmail.com> wrote:
>
> 1) Annoyance when the referer check doesn't work, security holes
> arising from clicking links in comments within the admin, or missed
> check_admin_referer() calls.

It's a worry if users without referrers are directed to disable the
check, since it leaves them open to dangerous links or forms from
anywhere around the web, not just their own admin.

Using tokens also provides protection in case of an exploit using <img
src="[evil]" /> or similar, which is of much more cause for concern
than a malicious link. I'll be shocked if there's no-one who's enabled
posting of images in comments.

Anyway, I agree 100% with Owen. It's a security win *and* a usability
win. If it's pluggable, even better.

(I do think the legacy plugin thing is a problem, though. Is there any
way around it other than hackishly using the DOM to insert hidden
inputs? Bleh.)


More information about the wp-hackers mailing list