WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#2543 closed defect (bug) (wontfix)

anyone can post comments masquerading as registered user

Reported by: ramnram1 Owned by: ramnram1
Milestone: Priority: normal
Severity: minor Version: 2.0.1
Component: General Keywords:
Focuses: Cc:

Description (last modified by markjaquith)

one can post comments masquerading as a legitimate user with the following information:


Name (required) : <legitimate user's alias>

Mail (will not be published) (required): <his/her email>

Website: <the user's website>


where name and website can be got from the user's other comments

Attachments (1)

wordpress_VA.doc (55.0 KB) - added by ramnram1 8 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 markjaquith8 years ago

  • Component changed from Security to General
  • Description modified (diff)
  • Keywords security removed
  • Priority changed from highest to normal
  • Severity changed from critical to minor
  • Summary changed from anyone can post comments as registered user to anyone can post comments masquerading as registered user

I'm downgrading the severity of this... I don't see the security implications. It's an annoyance, yes, but it doesn't compromise the security of the WP install.

There is a plugin that prevents imposters:

http://www.skippy.net/blog/2005/09/08/impostercide/

I don't think this is necessarily something that should be included in core, although I'm open the argument.

I've also altered the summary and description to add the word "masquerading" because the comments are not actually added as the legitimate user... they just appear to be so, to the outside world. The $comment->user_id value will NOT be set.

comment:2 ramnram18 years ago

  • Keywords Security added
  • Owner changed from anonymous to ramnram1
  • Priority changed from normal to highest
  • Severity changed from minor to critical

Such type of posts never go for moderization. Which means WordPress accepts the comment from a ananymous user as a comment from registered user. Which is a vulnarerability. And its a serious security issue. A simple check could have avoded this.

comment:3 markjaquith8 years ago

  • Keywords Security removed
  • Priority changed from highest to normal
  • Resolution set to wontfix
  • Severity changed from critical to minor
  • Status changed from new to closed

That is simply not true.

	if ( $userdata && ( $user_id == $post_author || $user->has_cap('level_9') ) ) {
		$approved = 1;
	}

Comments only skip moderation for level_9 users who are logged in, or for the author of the post. You cannot spoof this... it doesn't check by name or e-mail address.

If you have WP set to only take comments from registered users, you cannot spoof registration by matching name/e-mail address... you must be logged into WordPress... and this is checked via cookie.

There is no security risk. In order for it to be a security risk, you have to be able to intercept private data, or gain control over the blog. All this boils down to is that if someone can leave a comment and match the info put down by someone else (although they'd just be making an educated guess with the e-mail address), who may or may not be a registered user. It's an annoyance... that's all. You can prevent this annoyance with a plugin, if you're really worried about people being obnoxious in your comments.

comment:4 skeltoac8 years ago

/me indicates his assent to the previous comment by MarkJaquith but prefers not to say "+1" because he's not, you know, into the whole brevity thing

ramnram18 years ago

comment:5 ramnram18 years ago

  • Cc pradeep.vjn@… removed
  • Component changed from General to Security
  • Priority changed from normal to highest
  • Resolution wontfix deleted
  • Severity changed from minor to major
  • Status changed from closed to reopened

I have attached a word document. You can very well see that, whenever the same email id is given the post did not go for moderation. The environment did not change for any of the posts. All of them were posted from same browser. In all the posts the user posted it as a ananymous user.

comment:6 markjaquith8 years ago

  • Component changed from Security to General
  • Priority changed from highest to normal
  • Resolution set to wontfix
  • Severity changed from major to minor
  • Status changed from reopened to closed

Are you talking about the setting "Comment author must have a previously approved comment" ? In that case, you had a previously approved comment with that e-mail address so the subsequent comments went through... this is intended behavior. Again, if you don't want people masquerading as a registered user, use the plugin.

First time moderation obviously only works if it is the first comment for that e-mail address. There is no other criterion that can be used to enforce this. E-mail is the only part of the comment that is not publicly revealed. If you want complete moderation, select "An administrator must approve the comment (regardless of any matches below)"

We can continue to discuss this, but you need to stop marking this as a security issue. It isn't a security issue. I've set up a test blog with a post for you:
http://txfx.net/wp2/2006/try-to-leave-a-comment-on-this-post/

I registered a WP user, and left a comment using that user. In the comment is that user's info, including the e-mail address used. Your job is to gain control of the blog and prove it by making a new post.

If you can't do that, this is not a security issue. Marking it as such only causes undue panic among people who don't know any better.

Note: See TracTickets for help on using tickets.