WordPress.org

Ready to get started?Download WordPress

Forums

Author/Admin Impersonation (7 posts)

  1. jakeisonline
    Member
    Posted 5 years ago #

    Why oh why does WordPress let unregistered commenter's impersonate authors, registered users and/or admins? All you have to do is know the author/admin/registered users email address and WordPress will just let the comment straight through.

    That's pretty bad, isn't it? I know it's easily "hackable" but seriously that should be standard.

  2. ClaytonJames
    Member
    Posted 5 years ago #

    All you have to do is know the author/admin/registered users email address and WordPress will just let the comment straight through.

    Could you explain further how that is being done with just a known email address? I would like to try and reproduce it on my test server using the same settings you are currently using. Take a look here:

    Dashboard > Settings > Discussion > other comments settings > "Comment author must fill out name and e-mail"

    If you have that box checked, then the question you should be asking is how and why are your unregistered users getting access to your registered user's email and login credentials. Otherwise, check the box that says "Users must be registered and logged in to comment".

    Get back to me with your settings if you can, I really want to try and duplicate this. Thanks!

    Cj

  3. As many people use the same ID across many boards, and some places have public emails addresses ... it's not very hard to figure out what my id/email combo is. I'm sure googling me will pull up a couple combos, and a patient net-stalker could do that. And has. And will again.

    Impersonation really should be prevented. IF a name is a registered user name, THEN that user cannot comment without logging in. Done. End of story. Scott Merrill's impostercide still works on that end.

    https://skippy.net/SVN/plugins/wordpress/impostercide/impostercide.php

  4. jakeisonline
    Member
    Posted 5 years ago #

    In the end I had to hack this out to make sure no one could do it any longer.

    After line 38 of "wp-comments-post.php" add this:

    // get list of user (display) names for blog
    global $wpdb;
    $valid_users = (array)$wpdb->get_results("
      SELECT display_name, user_email FROM " . $wpdb->prefix . "users");
    
    // get ID of logged in user (if there is one)
    global $userdata;
    get_currentuserinfo();
    $logged_in_name = $userdata->ID;
    $logged_in_email = $userdata->user_email;
    
    // see if the comment author matches an existing author
    $found_match = FALSE;
    foreach ($valid_users as $va) {
      if (trim($va->display_name) != '') {
        if (strtolower($va->display_name) == strtolower($comment_author)) {
          $found_match = TRUE;
          break;
        }
      }
      if (trim($va->user_email) != '') {
        if (strtolower($va->user_email) == strtolower($comment_author_email)) {
          $found_match = TRUE;
          break;
        }
      }
    }
    
    // if commenter is not logged in, but match was found, block the comment
    if (trim($logged_in_name) == '') {
      if ($found_match == TRUE) {
        wp_die( __('You cannot post using the name or email of a registered author.') );
      }
    }

    You can add in your own way of doing the error message.

    @ClaytonJames - don't be so naive, it's rather easy to get hold of blog posters email addresses, particularly in the open social worldwide web.

  5. whooami
    Member
    Posted 5 years ago #

    theres a plugin for this.

  6. jakeisonline
    Member
    Posted 5 years ago #

    I'm sure there is, the point of this post was that it should either be standard or a security option by standard.

  7. ClaytonJames
    Member
    Posted 5 years ago #

    don't be so naive, it's rather easy to get hold of blog posters email addresses, particularly in the open social worldwide web.

    Oh, my.

    Well, being naive is not on my list of character traits, I assure you. Neither is bearing the burden of social ineptitude and public displays of moronic assumptions from others. (But I do understand it. I can be a bit of a "Dick" myself from time to time). I was being subserviently polite in an attempt to not accidentally offend you right from the start. (Seeing as how I don't know shit about you, nor you me, and you are obviously lacking in "search" skills). You know... perhaps actually start a useful dialog until all the facts were known... either way, I'm glad you got it fixed. Really, I am.

    Don't forget to save your "hacked" core file in a backup somewhere so you don't get borked on your next WP upgrade. And I suggest you save the parent - child relationship mode for your kids and co-workers.

    Peace

Topic Closed

This topic has been closed to new replies.

About this Topic