WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#8997 closed defect (bug) (fixed)

it's possible to comment on private posts.

Reported by: tott Owned by:
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.7
Component: Comments Keywords: comment, post, security, private, has-patch
Focuses: Cc:

Description

it is possible to post a comment on a private post when you guess the post id. to reproduce try something similar to

curl -vvv -X POST --data "author=First%20Last&email=spammer%40noreply.com&url=&comment=testing%20this&submit=Submit+Comment&comment_post_ID=1" http://wpurl/wp-comments-post.php

Replace the comment_post_ID with one of a private post.

Attachments (1)

wp-comments-post.diff (413 bytes) - added by tott 6 years ago.
fix against revision 10462

Download all attachments as: .zip

Change History (5)

@tott6 years ago

fix against revision 10462

comment:1 follow-up: @mrmist6 years ago

Could comments not be nonce protected? I mean the patch will prevent people from curl-ing in comments to private posts, but you can still submit as many comments as you like to normal published posts without actually using the submit form on the article's page.

comment:2 @ryan6 years ago

(In [10684]) Require user to be logged in to comment on private posts. Props tott. see #8997

comment:3 in reply to: ↑ 1 @lloydbudd6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Replying to mrmist:

Could comments not be nonce protected? I mean the patch will prevent people from curl-ing in comments to private posts, but you can still submit as many comments as you like to normal published posts without actually using the submit form on the article's page.

mrmist that is an interesting idea? I wonder how well it has been explored previously and what are the disadvantages?

Considering it shouldn't bar the inclusion of the above patch. Actually, the topic would best live in its own ticket -- if one for comment nonce doesn't already exist.

comment:4 @lloydbudd6 years ago

  • Version set to 2.7
Note: See TracTickets for help on using tickets.