[wp-trac] [WordPress Trac] #49956: Spammers able to share unmoderated comments
WordPress Trac
noreply at wordpress.org
Mon Apr 27 12:21:07 UTC 2020
#49956: Spammers able to share unmoderated comments
--------------------------+---------------------
Reporter: jonkolbert | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.4.2
Component: Comments | Version: 5.1
Severity: major | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+---------------------
Comment (by ayeshrajans):
Thank you @peterwilsoncc - a single-user token certainly sounds like a
much cleaner approach.
`nocache_headers()` certainly seems to do the trick with proxies/CDNs.
The root problem is with HTTP's stateless nature, unless we show the
comment as the direct response to an HTTP POST method, we cannot determine
if the user indeed is the one who submitted the comment if we don't use a
cookies, local storage, IP address, etc.
If we were to use a single-use token, an attacker can submit a comment
with the POST request, and get the redirect URL with the single-use token
from the `Location` header. Attacker can decide to not open this URL by
themselves, and instead post this in a spam farm. A search engine bot
might come across this, and because the token is not used yet, attacker
still can get a positive attack because it will be the search engine bot
who sees the single-use comment preview now. Although far-fetched, it is a
technical possibility.
We can impose a time-limit of a few seconds that can practically make this
attack useless. At this point, just sending the no-cache headers (without
no token use) would be enough to prevent proxy/CDN poisoning.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49956#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list