[wp-trac] Re: [WordPress Trac] #2543: anyone can post comments
masquerading as registered user
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 8 09:06:43 GMT 2006
#2543: anyone can post comments masquerading as registered user
----------------------+-----------------------------------------------------
Id: 2543 | Status: closed
Component: General | Modified: Wed Mar 8 09:06:42 2006
Severity: minor | Milestone:
Priority: normal | Version: 2.0.1
Owner: ramnram1 | Reporter: ramnram1
----------------------+-----------------------------------------------------
Changes (by markjaquith):
* resolution: => wontfix
* severity: critical => minor
* keywords: Security =>
* priority: highest => normal
* status: new => closed
Comment:
That is simply not true.
{{{
if ( $userdata && ( $user_id == $post_author ||
$user->has_cap('level_9') ) ) {
$approved = 1;
}
}}}
Comments only skip moderation for level_9 users who are logged in, or for
the author of the post. You cannot spoof this... it doesn't check by name
or e-mail address.
If you have WP set to only take comments from registered users, you cannot
spoof registration by matching name/e-mail address... you must be logged
into WordPress... and this is checked via cookie.
There is no security risk. In order for it to be a security risk, you
have to be able to intercept private data, or gain control over the blog.
All this boils down to is that if someone can leave a comment and match
the info put down by someone else (although they'd just be making an
educated guess with the e-mail address), who may or may not be a
registered user. It's an annoyance... that's all. You can prevent this
annoyance with a plugin, if you're really worried about people being
obnoxious in your comments.
--
Ticket URL: <http://trac.wordpress.org/ticket/2543>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list