id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
16370,Vulnerability: Comment posting by Guest,igisev,,"If on ""Discussion Settings"" console page[[BR]]
""Users must be registered and logged in to comment"" - is checked[[BR]]
then any visitor can leave comments on a site.

But if guest knows Email and/or ""display name"" of any registered user he can leave the comment as though it was this user!

For example:[[BR]]
Admin Email is 'admin[at]myblog.com'. Admin display name is 'Administrator'.[[BR]]
Guest fill out comment form with:[[BR]]
Name: Administrator[[BR]]
E-Mail: admin[at]myblog.com[[BR]]
and press the ""Submit Comment"" button[[BR]]

[[Image(http://img838.imageshack.us/img838/3365/63231804.th.gif)]][[BR]]
Full size image: [http://img838.imageshack.us/img838/3365/63231804.gif]

As a result the comment of the visitor and the comment of the Administrator look absolutely equally! =/[[BR]]
[[Image(http://img193.imageshack.us/img193/274/41043977.th.gif)]][[BR]]
Full size image: [http://img193.imageshack.us/img193/274/41043977.gif]

What you can say about this? =(",defect (bug),closed,normal,,Comments,3.0.4,normal,duplicate,comment posting guest,