[wp-trac] [WordPress Trac] #13791: Prevent comment author impersonation

WordPress Trac wp-trac at lists.automattic.com
Wed Jun 9 06:43:52 UTC 2010 

#13791: Prevent comment author impersonation
-------------------------+--------------------------------------------------
 Reporter:  mdawaffe     |       Owner:           
     Type:  enhancement  |      Status:  new      
 Priority:  normal       |   Milestone:  3.1      
Component:  Comments     |     Version:  2.9.2    
 Severity:  normal       |    Keywords:  has-patch
-------------------------+--------------------------------------------------
 Currently any logged out commenter can create a comment using a registered
 user's name and email address.  Blog viewers can't tell the difference
 unless the theme styles the comments differently based on the comment's
 user_id.  Even then, the user_id of a user without the unfiltered_html cap
 can by spoofed via CSRF.

 Whether the comment was submitted by a logged in user is not displayed
 admin-side either.

 To prevent impersonation, the attached:
  1. Extends CSRF protection to cover all logged in commenters, not just
 the unfiltered comment content of logged in commenters with the
 unfiltered_html cap.
  2. Fires a new {{{comment_impersonation}}} action during the
 {{{pre_comment_on_post}}} hook only for logged out users.  Attaching it to
 {{{pre_comment_on_post}}} ensures the new hook does not get fired during
 imports.
  3. Adds an impersonation detector to that new hook to check
 {{{pre_comment_author_email}}} for email addresses of registered users.
  4. If impersonation is detected, {{{wp_die()}}}s.

 Impersonation of registered users by logged in users is already prevented
 by wp-comments-post.php (it overwrites the email/name/url submitted by
 logged in users).

 Impersonation of registered users by logged out users is caught by the
 attached.

 Impersonation of unregistered users is fine: let Anonymous have its
 freedom.

 "Impersonation" of registered users by CSRF is prevented by noncing the
 form for all logged in commenters.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13791>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list