WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#16370 closed defect (bug) (duplicate)

Vulnerability: Comment posting by Guest

Reported by: igisev Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.4
Component: Comments Keywords: comment posting guest
Focuses: Cc:

Description

If on "Discussion Settings" console page
"Users must be registered and logged in to comment" - is checked
then any visitor can leave comments on a site.

But if guest knows Email and/or "display name" of any registered user he can leave the comment as though it was this user!

For example:
Admin Email is 'admin[at]myblog.com'. Admin display name is 'Administrator'.
Guest fill out comment form with:
Name: Administrator
E-Mail: admin[at]myblog.com
and press the "Submit Comment" button

http://img838.imageshack.us/img838/3365/63231804.th.gif
Full size image: http://img838.imageshack.us/img838/3365/63231804.gif

As a result the comment of the visitor and the comment of the Administrator look absolutely equally! =/
http://img193.imageshack.us/img193/274/41043977.th.gif
Full size image: http://img193.imageshack.us/img193/274/41043977.gif

What you can say about this? =(

Attachments (2)

1.gif (21.8 KB) - added by igisev 3 years ago.
Screen 1
2.gif (26.7 KB) - added by igisev 3 years ago.
Screen 2

Download all attachments as: .zip

Change History (4)

igisev3 years ago

Screen 1

igisev3 years ago

Screen 2

comment:1 linuxologos3 years ago

I can't see any bug though. The real admin has the ability to moderate comments and throw those away.

comment:2 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10931.

Note: See TracTickets for help on using tickets.