[wp-trac] Re: [WordPress Trac] #2543: anyone can post comments masquerading as registered user

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 8 09:06:43 GMT 2006

#2543: anyone can post comments masquerading as registered user
       Id:  2543      |      Status:  closed                  
Component:  General   |    Modified:  Wed Mar  8 09:06:42 2006
 Severity:  minor     |   Milestone:                          
 Priority:  normal    |     Version:  2.0.1                   
    Owner:  ramnram1  |    Reporter:  ramnram1                
Changes (by markjaquith):

  * resolution:  => wontfix
  * severity:  critical => minor
  * keywords:  Security =>
  * priority:  highest => normal
  * status:  new => closed


 That is simply not true.

         if ( $userdata && ( $user_id == $post_author ||
 $user->has_cap('level_9') ) ) {
                 $approved = 1;

 Comments only skip moderation for level_9 users who are logged in, or for
 the author of the post.  You cannot spoof this... it doesn't check by name
 or e-mail address.

 If you have WP set to only take comments from registered users, you cannot
 spoof registration by matching name/e-mail address... you must be logged
 into WordPress... and this is checked via cookie.

 There is no security risk.  In order for it to be a security risk, you
 have to be able to intercept private data, or gain control over the blog.
 All this boils down to is that if someone can leave a comment and match
 the info put down by someone else (although they'd just be making an
 educated guess with the e-mail address), who may or may not be a
 registered user.  It's an annoyance... that's all.  You can prevent this
 annoyance with a plugin, if you're really worried about people being
 obnoxious in your comments.

Ticket URL: <http://trac.wordpress.org/ticket/2543>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list