Comment Submission – Possible Security Issue

  • Unknown's avatar
    catgotyourtongue · Member ·

    I have the latest version of WP installed. I have comment submission enabled, however, on to those that register on my blog. In addition, all posts must be approved by me begore they are actually posted.

    This morning, I received an email notification telling me that there was a comment waiting to be approved. At first, it seemed like a spambot was trying to post, but no spam. The name that was filled out was the topic of another post in the same category. The URL was that of the blog post of the topic that was in the name field.

    In addition, in the name field was the name I have as my real name on the blog. The IP address was that of the server my website is hosted on. A few things I found strange:

    1.) That someone was able to submit a comment when my blog is set to not allow any comments unless you are logged in.

    2.) The only user on my blog is myself. No other users are listed, leading the whole issue of not being able to submit a comment unless you are logged in being even more strange.

    3.) The IP address was that of the server/website. I tried a test post and the blog does actually post the IP of the user and not that of the blog/website. Therefore, it was not as if the individuals seemed to have gained admin access, because even when I, as the admin, post a comment, it shows my real IP address.

    It seems that an individual has found a security hole in WordPress that allows them to anonymously submit comments.

  • Unknown's avatar
    cornell · Member ·

    Can I suggest a few things:

    1. We can’t support self hosted blogs here at wordpress.com. I realise that this may affect the whole WP platform, but this is specifically for user support of wp.com blogs.

    2. The correct URL for your self-hosted blog is over at http://www.wordpress.org. Please, don’t post this over at wordpress.org yet. Instead, can you send an email to support at wordpress.com detailing your findings. Mark or one of the Key Masters will be able to pick it up and either pass it on or deal with it for you.

    Many thanks!

    Collin

  • Unknown's avatar
    mark · Member ·

    That doesn’t sound like a security issue given the ways spammers can and do hit blogs.
    As Cornell suggests I’d go mention it in the .org forums and get some views and experiences there.

  • The topic ‘Comment Submission – Possible Security Issue’ is closed to new replies.