WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3643 closed defect (bug) (invalid)

Spam bots can still submit coments, even if the feature is disabled

Reported by: sendspace Owned by:
Milestone: Priority: high
Severity: major Version: 2.1
Component: Security Keywords:
Focuses: Cc:

Description

Hi,

I have looked through the closed tickets for v2.1 but did not find this mentioned.

Even though blogs with disabled comments no longer produce the link to submit a comment spambots know the URLs and forms. They submit comments directly to the comment script and by doing so bypass 'comments disabled'.

I would suggest adding a check at the actual comment submission script in order to prevent this from happening.

Thanks,
Richard

Change History (9)

comment:1 @sendspace8 years ago

  • Component changed from Administration to Security
  • Milestone changed from 2.2 to 2.1.1

comment:2 @foolswisdom8 years ago

  • Milestone changed from 2.1.1 to 2.2
  • Version set to 2.1

comment:3 @markjaquith8 years ago

  • Milestone 2.2 deleted
  • Resolution set to invalid
  • Status changed from new to closed

in wp-comments-post.php :

} elseif ( 'closed' ==  $status->comment_status ) {
	do_action('comment_closed', $comment_post_ID);
	wp_die( __('Sorry, comments are closed for this item.') );
}

You've likely confused the global setting with retroactive comment closing. That setting only affects the default setting for new posts. Old posts comment statuses remain the same.

comment:4 @glennr8 years ago

  • Priority changed from low to normal
  • Resolution invalid deleted
  • Status changed from closed to reopened

I had this problem also, and I am sure I set both the setting on the post, and in options to not allow comments. In addition, it was set to require a logged in user for commenting, and there are none.

I'm no expert in php, so correct me if I'm wrong, but I don't think that script actually kills it.
It is not die() in the code, it is wp_die(), a function set in wp_includes/functions.php.
Looking at the code there, I see no reference to the actual "die()" function that would kill the script.
Still looking around, I might be missing something, but I don't even see the functions.php file included in the wp_comments_post.php file.

Reopening the ticket.

comment:5 @glennr8 years ago

  • Priority changed from normal to high
  • Severity changed from normal to major

As a security bug, it should be a bit more important.

comment:6 @rob1n8 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

functions.php is included (gradually) by wp-config.php.

And in wp_die(), line 1361 of functions.php, is die().

comment:7 follow-up: @glennr8 years ago

Brings up the question still of how someone is posting comments.

comment:8 @rob1n8 years ago

Looks impossible... I've looked through the code at least 10 times now, and it all looks right.

comment:9 in reply to: ↑ 7 @foolswisdom8 years ago

Replying to glennr:

Brings up the question still of how someone is posting comments.

Contact me at 'lloyd' at automattic com, and I can help debug it on your blog.

Note: See TracTickets for help on using tickets.