[wp-hackers] Any other way to do it? (or, do we really need
peter.westwood at ftwr.co.uk
Fri Mar 2 14:55:20 GMT 2007
Elliotte Harold wrote:
> Peter Westwood wrote:
>> How does switching to POST over GET remove the possibility of security
>> holes? They are both just as exploitable from a security point of
>> view if they are not given protection.
> GET is supposed to be a safe operation. Users are supposed to be able to
> follow links without worrying about doing things. In WP, they can't.
> This leads to various XSS issues and cracks. It's too easy to get the
> admin to follow a link, Indeed this can happen without any explicit user
> request at all.
> POST is not which is why it can't be linked to, bookmarked, prefetched,
> used to grab an image, etc.
Yes but if I can convince you to click on a link that takes you to your
blogs admin then I can just as likely convince you to click on a form
post button that does the same.
That is why both methods _need_ the nonces (or something else like
referrer checking which isn't as good as the nonces) to prevent the XSS
issues and cracks.
Switching to POST from GET does not protect against the issues - it just
makes them slightly harded to exploit - i.e. you can't easily exploit a
POST issue without user interaction which you can with a GET issue by
virtue of using an IMG tag to perform the exploit.
> interesting question. I need to explore it further. I'm not sure it's
> possible, but I'm not sure it isn't either. I suspect the answer may lie
I don't see this as relavent to the issue at hand really.
POST is not more secure than GET.
Believing so leads to a false sense of security.
More information about the wp-hackers