Thanks for the long note. I am sure some developer will take a look at this.
Thanks, again :)
post.php unecessarily relies on HTTP_REFERER (3 posts)
-
-
Matt Mullenweg
Posted 7 years ago #You must have referrers enabled to use WordPress. There are a lot of reasons for this, not the least of which is security.
-
Anonymous
Posted 7 years ago #Would you mind elaborating on the reasons for requiring referrers, especially related to security?
The only security risk I can think of is that a malicious web site will include a URL or some other tag that causes my browser to GET a URL like "https://mysite/wordpress/wp-admin/post.php?action=delete&post=5". If I've previously logged in and am caching cookies, this can cause me to unknowingly delete an entry.
Could that kind of attack be mitigated by requiring a POST instead of a GET for actions like that? Or is it just as easy to write javascript code that will perform the POST?
Otherwise, I can't think of any attack that doesn't also require capturing the username/password or the authentication cookies that couldn't also fake the "Referer" header.
I have commented out the check_admin_referer function becaue I'd rather turn of referers in FireFox and be open to this attack than to turn them on just to use WordPress.
Cheers,
Jason
Topic Closed
This topic has been closed to new replies.
