[wp-trac] [WordPress Trac] #49956: Spammers able to share unmoderated comments

WordPress Trac noreply at wordpress.org
Mon Apr 27 12:21:07 UTC 2020


#49956: Spammers able to share unmoderated comments
--------------------------+---------------------
 Reporter:  jonkolbert    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.4.2
Component:  Comments      |     Version:  5.1
 Severity:  major         |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+---------------------

Comment (by ayeshrajans):

 Thank you @peterwilsoncc - a single-user token certainly sounds like a
 much cleaner approach.

 `nocache_headers()` certainly seems to do the trick with proxies/CDNs.

 The root problem is with HTTP's stateless nature, unless we show the
 comment as the direct response to an HTTP POST method, we cannot determine
 if the user indeed is the one who submitted the comment if we don't use a
 cookies, local storage, IP address, etc.

 If we were to use a single-use token, an attacker can submit a comment
 with the POST request, and get the redirect URL with the single-use token
 from the `Location` header. Attacker can decide to not open this URL by
 themselves, and instead post this in a spam farm. A search engine bot
 might come across this, and because the token is not used yet, attacker
 still can get a positive attack because it will be the search engine bot
 who sees the single-use comment preview now. Although far-fetched, it is a
 technical possibility.

 We can impose a time-limit of a few seconds that can practically make this
 attack useless. At this point, just sending the no-cache headers (without
 no token use) would be enough to prevent proxy/CDN poisoning.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49956#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list