WordPress.org

Codex

User:MDAWaffe/referers

Current WP referer check + KSES

IMGs in comments allow for arbitrary SRC attributes</dt>
NO: KSES filters out all IMGs from comments by users without unfiltered_html</dd>

Links from preview IFRAME allow comments/drafts from untrusted parties to pass check_admin_referer()</dt>
NO: IFRAMEs send REFERER based on SRC attribute</dd>

SESSIONS v. COOKIES, POST v. GET in the context of packet sniffing</dt>
N/A: They're all up for grabs unless you're doing stuff over SSL</dd>

In the context of log files</dt>
Sure: WP cannot secure your log files. You have a bad host if your log files are readable by untrusted parties. That said, it's a valid point; why not trust the competency of your host as little as possible?</dd>

REFERERs can be spoofed</dt>
NO: This can only happen with script injection: Enter KSES.</dd>

wp-admin/edit-comments.php and wp-admin/moderation.php are dangerous since they'll send a REFERER which will pass check_admin_referer()</dt>
YES: KSES strips out SCRIPTs, IMGs and so forth so that visiting these pages won't automatically cause any damaging GETs, but KSES doesn't filter links; with manual intervantion on your part you can trip a nasty GET by clicking on a malicious link.

Solution: filter all links in comments to look like "google [http://www.google.com]" instead of "<a href='http://www.google.com'>google</a>" (i.e., make them unclickable) on these pages. That and POSTification.</dd>

Viewing drafts from untrusted users can automatically trip nasty GETs</dt>
In some cases. The preview IFRAME can't hurt you as above. If you're using the oldskool HTML editor, your're safe. If you're using the WYSIWYG editor, IMGs are loaded automatically.

Solution: don't set up your blog such that untrusted people can submit drafts, and/or require those users with admin privelages to use the oldskool editor. Don't you want to review the raw HTML of contributors anyway (links to goatse etc.)? A partial code-based solution might involve something like that proposed above.</dd>