[wp-hackers] Rethinking check_admin_referer()
Elliotte Harold
elharo at metalab.unc.edu
Thu Apr 20 11:21:57 GMT 2006
Robert Deaton wrote:
> At the moment, this is not possible, the http referer check stops this
> from happening. We're discussing alternates to the referer check that
> will not require sending referers but will offer the same protection.
I've verified this attack this morning. It absolutely is possible in
WordPress 2.0.2 as currently shipped. Perhaps that's a bug in WordPress.
If so, those bugs need to be fixed.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list