[wp-trac] Re: [WordPress Trac] #2543: anyone can post comments masquerading as registered user

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 8 07:36:54 GMT 2006


#2543: anyone can post comments masquerading as registered user
-----------------------+----------------------------------------------------
       Id:  2543       |      Status:  new                     
Component:  General    |    Modified:  Wed Mar  8 07:36:54 2006
 Severity:  minor      |   Milestone:                          
 Priority:  normal     |     Version:  2.0.1                   
    Owner:  anonymous  |    Reporter:  ramnram1                
-----------------------+----------------------------------------------------
Changes (by markjaquith):

  * component:  Security => General
  * severity:  critical => minor
  * keywords:  security =>
  * priority:  highest => normal
  * summary:  anyone can post comments as registered user => anyone can
              post comments masquerading as registered user

Old description:

> one can post comments as a legitimate user with the following
> information:
>

> ----
>
> Name (required) : <legitimate user's alias>
>
> Mail (will not be published) (required): <his/her email>
>
> Website: <the user's website>
>
> ----
>
> where name and website can be got from the user's other comments

New description:

 one can post comments masquerading as a legitimate user with the following
 information:


 ----

 Name (required) : <legitimate user's alias>

 Mail (will not be published) (required): <his/her email>

 Website: <the user's website>

 ----

 where name and website can be got from the user's other comments

Comment:

 I'm downgrading the severity of this... I don't see the security
 implications.  It's an annoyance, yes, but it doesn't compromise the
 security of the WP install.

 There is a plugin that prevents imposters:

 http://www.skippy.net/blog/2005/09/08/impostercide/

 I don't think this is necessarily something that should be included in
 core, although I'm open the argument.

 I've also altered the summary and description to add the word
 "masquerading" because the comments are not actually added as the
 legitimate user... they just appear to be so, to the outside world.  The
 $comment->user_id value will NOT be set.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2543>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list