[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Scott Yang
scott.yang at gmail.com
Fri Mar 2 20:11:53 GMT 2007
Hmm...
<iframe name="foo" style="display:none"></iframe>
<form name="bar" target="foo" method="post"
action="http://yoursite/wp-admin/bad-script.php" style="display:none">
<input type="hidden" name="var1" value="value1"/>
<input type="hidden" name="var2" value="value2"/>
<input type="hidden" name="var3" value="value3"/>
</form>
<script type="text/javascript">
document.forms['bar'].submit();
</script>
1. You can certainly post to a form outside your domain.
2. You can hide the form as well.
3. You can automated it via Javascript.
4. POST is about as insecure as GET
-Scott
On 3/3/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> The difference is you don't need to convince me to click on a link. You
> can force my browser to follow a link in several ways without any human
> intervention. That isn't the case with POST, I brought up the JavaScript
> because it had been suggested that could be used to force a POST without
> human intervention. I'm not sure that's true but it's worth investigating.
More information about the wp-hackers
mailing list