[Plugin: 6Scan Security] Question about "3.4 comment posting forgery"

  • itpixie

    (@itpixie)


    11 years, 10 months ago

    Hello,

    This is more a curiosity question…

    My site received a vulnerability warning about “3.4 comment posting forgery” that read the following:
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Wordpress 3.4 (and 3.3.2) comment posting forgery
    CSRF vulnerability in WordPress versions under 3.3.2 allows malicious users to make fake posts
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<

    However from what I could find about this vulnerability, WordPress has patched that in WordPress 3.3.2, so is this warning still valid? Should one still follow the instructions provided in the scan report to “patch” the vulnerability?

    Thank you in advance for the clarifications!

    http://wordpress.org/extend/plugins/6scan-protection/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author 6Scan

    (@6scan)

    11 years, 9 months ago

    Hey itpixie,

    The vulnerability in question hasn’t been patched as of the latest WordPress release (3.4.1). We just retested it to make 100% sure. So yes, you should still follow the instructions to patch it yourself.

    We’d be interested in hearing where you got the information that it was patched, so if you could send that over it would be great.

    Thread Starter itpixie

    (@itpixie)

    11 years, 9 months ago

    I think I was actually seeing information about a different vulnerability in wp-comment-post.php that had to do with redirects, which was fixed in WP 3.3.2 (http://wordpress.org/news/2012/04/wordpress-3-3-2/).

    After seeing this comment (which was posted after my question), I think I have a better understanding of the vulnerability that 6Scan pointed out. Correct me if I’m wrong:
    The vulnerability in question is about fake comments to be posted to vulnerable sites. These fake comments are generated from hacked sites and trigger by these sites’ visitors commenting on the sites… The fix provided by 6Scan is to block these fake comments by checking the Referer Header and comparing that to that of the site to be posted…

    Thank you again for the clarification and additional information.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: 6Scan Security] Question about "3.4 comment posting forgery"’ is closed to new replies.