#2543 closed defect (bug) (wontfix)
anyone can post comments masquerading as registered user
Reported by: | ramnram1 | Owned by: | ramnram1 |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 2.0.1 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
one can post comments masquerading as a legitimate user with the following information:
Name (required) : <legitimate user's alias>
Mail (will not be published) (required): <his/her email>
Website: <the user's website>
where name and website can be got from the user's other comments
Attachments (1)
Change History (7)
#1
@
19 years ago
- Component changed from Security to General
- Description modified (diff)
- Keywords security removed
- Priority changed from highest to normal
- Severity changed from critical to minor
- Summary changed from anyone can post comments as registered user to anyone can post comments masquerading as registered user
#2
@
19 years ago
- Keywords Security added
- Owner changed from anonymous to ramnram1
- Priority changed from normal to highest
- Severity changed from minor to critical
Such type of posts never go for moderization. Which means WordPress accepts the comment from a ananymous user as a comment from registered user. Which is a vulnarerability. And its a serious security issue. A simple check could have avoded this.
#3
@
19 years ago
- Keywords Security removed
- Priority changed from highest to normal
- Resolution set to wontfix
- Severity changed from critical to minor
- Status changed from new to closed
That is simply not true.
if ( $userdata && ( $user_id == $post_author || $user->has_cap('level_9') ) ) { $approved = 1; }
Comments only skip moderation for level_9 users who are logged in, or for the author of the post. You cannot spoof this... it doesn't check by name or e-mail address.
If you have WP set to only take comments from registered users, you cannot spoof registration by matching name/e-mail address... you must be logged into WordPress... and this is checked via cookie.
There is no security risk. In order for it to be a security risk, you have to be able to intercept private data, or gain control over the blog. All this boils down to is that if someone can leave a comment and match the info put down by someone else (although they'd just be making an educated guess with the e-mail address), who may or may not be a registered user. It's an annoyance... that's all. You can prevent this annoyance with a plugin, if you're really worried about people being obnoxious in your comments.
#4
@
19 years ago
/me indicates his assent to the previous comment by MarkJaquith but prefers not to say "+1" because he's not, you know, into the whole brevity thing
#5
@
19 years ago
- Cc pradeep.vjn@… removed
- Component changed from General to Security
- Priority changed from normal to highest
- Resolution wontfix deleted
- Severity changed from minor to major
- Status changed from closed to reopened
I have attached a word document. You can very well see that, whenever the same email id is given the post did not go for moderation. The environment did not change for any of the posts. All of them were posted from same browser. In all the posts the user posted it as a ananymous user.
#6
@
19 years ago
- Component changed from Security to General
- Priority changed from highest to normal
- Resolution set to wontfix
- Severity changed from major to minor
- Status changed from reopened to closed
Are you talking about the setting "Comment author must have a previously approved comment" ? In that case, you had a previously approved comment with that e-mail address so the subsequent comments went through... this is intended behavior. Again, if you don't want people masquerading as a registered user, use the plugin.
First time moderation obviously only works if it is the first comment for that e-mail address. There is no other criterion that can be used to enforce this. E-mail is the only part of the comment that is not publicly revealed. If you want complete moderation, select "An administrator must approve the comment (regardless of any matches below)"
We can continue to discuss this, but you need to stop marking this as a security issue. It isn't a security issue. I've set up a test blog with a post for you:
http://txfx.net/wp2/2006/try-to-leave-a-comment-on-this-post/
I registered a WP user, and left a comment using that user. In the comment is that user's info, including the e-mail address used. Your job is to gain control of the blog and prove it by making a new post.
If you can't do that, this is not a security issue. Marking it as such only causes undue panic among people who don't know any better.
I'm downgrading the severity of this... I don't see the security implications. It's an annoyance, yes, but it doesn't compromise the security of the WP install.
There is a plugin that prevents imposters:
http://www.skippy.net/blog/2005/09/08/impostercide/
I don't think this is necessarily something that should be included in core, although I'm open the argument.
I've also altered the summary and description to add the word "masquerading" because the comments are not actually added as the legitimate user... they just appear to be so, to the outside world. The $comment->user_id value will NOT be set.