[wp-hackers] Rethinking check_admin_referer()
David House
dmhouse at gmail.com
Tue Apr 18 21:30:44 GMT 2006
On 18/04/06, Michael D. Adams <mikea at turbonet.com> wrote:
> Have you tried this? KSES should filter out IMGs from users that don't
> have the unfiltered_html capability.
Good point, I figured img was among the allowed tags, but apparently not.
> Regardless, the draft issue mentioned previously [1] is still there. As
> mentioned by others, we should POST.
Yes, and also non-registered users could provide a link like "Great
post, here's [my response]", which links to a redirecting site. An
unwitting admin would click it and it's the same flaw.
--
-David House, dmhouse at gmail.com, http://xmouse.ithium.net
More information about the wp-hackers
mailing list