[wp-hackers] Rethinking check_admin_referer()
Elliotte Harold
elharo at metalab.unc.edu
Wed Apr 19 11:03:21 GMT 2006
Matt Mullenweg wrote:
> If the best an attacker can do is embed a link in a comment or email and
> hope you click on it, then we've succeeded. At some point we have to
> stop punishing normal users for the extreme edge cases.
No, If that's possible, you've made a classic mistake. Clicking the link
should not take any action. That's the difference between GET and POST:
http://cafe.elharo.com/web/rest-mistake-1-confirming-gets/
It's easy to fix. You just need to make sure that all actions take place
through POST, not GET, regardless of URL. This wouldn't punish anybody.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list