[wp-hackers] Security at Wordpress
Elliotte Harold
elharo at metalab.unc.edu
Mon Apr 24 15:06:23 GMT 2006
Owen Winkler wrote:
> I find little practical use for the proposed sweeping changes to POST
> actions, since the only gain we would make is tenuous standards support,
> which according to the excerpts you provided, we already achieve.
There are two major open security holes that would never have happened
if WordPress used POST instead of GET, and you see little gain?
There are entire sites that have been deleted by spiders and web
accelerators because they used GET where they should have used POST, and
you see little gain?
There's a lot more going on here than an obsessive concern with
standards support. The safety of GET isn't a dusty corner of the HTTP
spec. It's a core principle of HTTP, and anyone who violates it does so
at their peril. I strongly suspect the two bugs uncovered so far are not
the last problems to surface from this mistake.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list