Comment Security Hole

  • I discovered a security hole via someone else’s site in the native comment moderation system. If I use the screen-name “whatever” and post and the comment successfully is released to post by an admin, someone else can come along and use the same screen-name to post as though they were me regardless of whether the email address is different. That post by the clone poster then successfully posts to the site without having to go through moderation even if the email WAS different.

    So far I’ve only experienced this on one WordPress site, but I should think it would be easily reproducible on most WP sites if I’m correct about this hole.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    That’s not a security hole. It’s totally plausible that multiple people use the same handles, and unless the user is registered on your site, there’s no real way to validate that whatever #1 is the same as whatever #2.

    If you want to protect your registered users from being imitated, though, grab https://www.ads-software.com/extend/plugins/impostercide/

    Thread Starter Allison Gamblin

    (@svallie)

    Hrm. Good to know. Thanks!

    Of course, wouldn’t it be logical that if you have to have an email with a comment [assuming you aren’t registered] the WP system would be able to invalidate multiple uses of the same screenname?

    Perhaps this is something that can be worked out in an upcoming release, say by building the impostercide plugin into the core.

    Anyway, thanks!

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Tried it. The problem is validate with whom, precisely?

    I mean, let’s say [email protected] leaves a comment with the name ‘Joe Doe.’ Then someone else leaves a comment, same email, with the name ‘Joseph Doe.’ Which one is the RIGHT name? They both are! Do I reject one over the other? How do I decide who’s right and who isn’t?

    The reason WP doesn’t validate against anon users is that there’s no way to do it without causing massive over head (do you really want to scan every comment ever made when someone wants to leave one?). The best we can do is say ‘If you, Tron, want to comment and already have an ID on the grid, please log in.’ Other than that, though, Tron may want to use his [email protected] email, or his [email protected] one. They’re both valid Trons, and it’s too much data to manage.

    Actually, that’s why places like blogger use OpenID and all to validate people.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Comment Security Hole’ is closed to new replies.