[wp-trac] Re: [WordPress Trac] #2543: anyone can post comments masquerading as registered user

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 8 11:07:45 GMT 2006 

#2543: anyone can post comments masquerading as registered user
----------------------+-----------------------------------------------------
       Id:  2543      |      Status:  closed                  
Component:  General   |    Modified:  Wed Mar  8 11:07:45 2006
 Severity:  minor     |   Milestone:                          
 Priority:  normal    |     Version:  2.0.1                   
    Owner:  ramnram1  |    Reporter:  ramnram1                
----------------------+-----------------------------------------------------
Changes (by markjaquith):

  * resolution:  => wontfix
  * component:  Security => General
  * priority:  highest => normal
  * severity:  major => minor
  * status:  reopened => closed

Comment:

 Are you talking about the setting "Comment author must have a previously
 approved comment" ?  In that case, you '''had''' a previously approved
 comment with that e-mail address so the subsequent comments went
 through... this is intended behavior. Again, if you don't want people
 masquerading as a registered user, '''use the plugin'''.

 First time moderation obviously only works if it is the first comment for
 that e-mail address.  There is no other criterion that can be used to
 enforce this.  E-mail is the only part of the comment that is not publicly
 revealed.  If you want complete moderation, select "An administrator must
 approve the comment (regardless of any matches below)"

 We can continue to discuss this, but you need to stop marking this as a
 security issue.  '''It isn't a security issue.'''  I've set up a test blog
 with a post for you:
 http://txfx.net/wp2/2006/try-to-leave-a-comment-on-this-post/

 I registered a WP user, and left a comment using that user.  In the
 comment is that user's info, including the e-mail address used.  Your job
 is to gain control of the blog and prove it by making a new post.

 If you can't do that, this is not a security issue.  Marking it as such
 only causes undue panic among people who don't know any better.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2543>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list