Comment hijack…help!

  • Resolved davebgimp

    (@davebgimp)


    19 years, 4 months ago

    I use WP on my website and recently set my options to moderate all first time commenters, however, when testing it, I find that after the comment is submitted the user is redirected away from my site to a webpage hosted on the coding.mu website containing a HUGE flash movie demo of someone coding what looks to be PHP. Do you have any idea what’s up with that and if so why and how to get rid of it? It’s pretty alarming. I have disabled moderation for now and things are back to normal, but I would really like to know what the hell’s up with this.

Viewing 14 replies - 1 through 14 (of 14 total)

  • Do you have any comment-related plugin? It could be it.
    I haven’t checked WP code, but I don’t think WP will do that.

    Thread Starter davebgimp

    (@davebgimp)

    Yes I use SK2.

    Just search the code of SK2 for that site and replace it with whatever you want (e.g. your homepage). (I guess, since I don’t use SK2.)

    Does the comment still make it to moderation when the visitor gets redirected?

    I use SK2 on my site and I don’t believe I’ve ever had any commenter redirected to any site other than my own. Check out the comments related files (comment.php, comments-popup.php) and see if you find anything interesting in there.

    Regards

    SK2 does not contain a reference to that site anywhere in it’s source code.

    This is not normal SK2 behaviour!

    Edit:
    Looking at the code in spam_karma_2_plugin.php the redirect to the Second Chance page happens around lines 950-965 – could you paste those lines of that file here for us to check??

    westi

    Thread Starter davebgimp

    (@davebgimp)

    $location = str_replace($_SERVER['DOCUMENT_ROOT'], "/", dirname(__FILE__)) . "/" . sk2_second_chance_file<br />
    Let me know if this isn't all of it.

    ."?c_id=$comment_ID&c_author=" . urlencode($sk2_core->cur_comment->author_email);

    $can_use_location = ( @preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')) ) ? false : true;<br />
    if (!$can_use_location &&amp; ($phpver >= '4.0.1') &&amp; @preg_match('/Microsoft/', getenv('SERVER_SOFTWARE')) &&amp; (php_sapi_name() == 'isapi'))<br />
    $can_use_location = true;

    Ok that code looks like it is correct.

    Would it be possible for you to reenable the plugin for a short period for me to see the problem in action by trying to post a comment on your site?

    westi

    Thread Starter davebgimp

    (@davebgimp)

    No problem, thanks for the assistance. The plugin has now been enabled.

    Thread Starter davebgimp

    (@davebgimp)

    I should also say that I searched the code of SK2 and it’s prepackaged plugins for “coding.mu”, but did not find anything.

    This is not related to SK2.
    I wonder if this is an example of exploit of the security vulnerabilities in WP 1.5.1.2 and lower.
    What version of WordPress are you running?

    Ok,

    Just done a test post and now I understand why this is happening.

    The redirection code in Spam Karma 2 is not sending back a fully qualified url for the second-chance page.

    When your browser tries to follow the link it can’t because it’s not fully qualified and so it may helpfully try a “I’m feeling lucky” lookup in google and take you there – like if you miss type something in the url bar.

    The url that gets returned in the redirect is:

    HTTP/1.x 302 Found
    Date: Fri, 08 Jul 2005 18:42:01 GMT
    Server: Apache/2.0.53
    X-Powered-By: PHP/4.3.11
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Fri, 08 Jul 2005 18:42:02 GMT
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Location: //wp-content/plugins/SK2/sk2_second_chance.php?c_id=148&c_author=example%40example.com
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html

    The browser then does this:

    https://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=wp-content

    GET /search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=wp-content HTTP/1.1
    Host: https://www.google.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Cookie: PREF=ID=27664863d4f98241:CR=1:TM=1114451930:LM=1117277536:L=0AA:S=n5Wt5n6iGz-2mY63

    HTTP/1.x 302 Found
    Location: https://coding.mu/wp-content/mvcdemo.htm
    Cache-Control: private
    Content-Type: text/html
    Server: GWS/2.1
    Transfer-Encoding: chunked
    Content-Encoding: gzip
    Date: Fri, 08 Jul 2005 18:42:04 GMT

    Which sends you to the site in question coding.mu – This is the first result for the following Google Search: wp-content

    The following workaround will allow you to use Spam Karma 2:

    1. Disable the Capatcha Check plugin in the Spam Karma 2 Options pages by setting it’s strength to disabled.

    I have contacted the author of Spam Karma 2 zedrdave and hopefully a fix for this issue will be available soon!

    westi

    Thread Starter davebgimp

    (@davebgimp)

    Awesome, disabling captcha worked. Thanks for your help!

    Thats ok.

    Hope the Spam Karma 2 Moderate plugin works OK for you now!

    westi

    Thread Starter davebgimp

    (@davebgimp)

    It works beautifully. Oh wait, you wrote it! Ha! I just commented about this issue on your site. Thanks again.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Comment hijack…help!’ is closed to new replies.