[wp-trac] [WordPress Trac] #11695: Comments on private posts can be view by anyone via RSS

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 2 20:32:19 UTC 2010


#11695: Comments on private posts can be view by anyone via RSS
--------------------------+-------------------------------------------------
 Reporter:  palotasb      |       Owner:            
     Type:  defect (bug)  |      Status:  new       
 Priority:  high          |   Milestone:  Unassigned
Component:  Comments      |     Version:            
 Severity:  normal        |    Keywords:            
--------------------------+-------------------------------------------------
 If you consider that comments on a private post can contain confidential
 information, this is a security bug or privacy/information disclosure
 vulnerability.

 To reproduce, create a private post and try to view the post's comment
 feed after you've logged out. You can see the comments, but you shouldn't.

 A temporary solution is to install the plugin I've attached to this
 ticket, but the real solution is to modify core files.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11695>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list