[wp-trac] [WordPress Trac] #11695: Comments on private posts can be view by anyone via RSS
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 2 20:32:19 UTC 2010
#11695: Comments on private posts can be view by anyone via RSS
--------------------------+-------------------------------------------------
Reporter: palotasb | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: Unassigned
Component: Comments | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
If you consider that comments on a private post can contain confidential
information, this is a security bug or privacy/information disclosure
vulnerability.
To reproduce, create a private post and try to view the post's comment
feed after you've logged out. You can see the comments, but you shouldn't.
A temporary solution is to install the plugin I've attached to this
ticket, but the real solution is to modify core files.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11695>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list