WordPress.org

Ready to get started?Download WordPress

Forums

Comments Revealing Other Users Email Addresses - SECURITY ISSUE (3 posts)

  1. David Roach
    Member
    Posted 1 year ago #

    Currently using a multi-site installation of wordpress using WP Super Cache and DB Cache.

    Exactly like this post:
    http://wordpress.org/support/topic/huge-security-issue-comment-fields-reveal-email-address-of-different-user

    Various users, in various localities, are reporting an issue when they reply to a post or article on our site. When the user goes to reply to a post or article, the email address field reveals email addresses of other users who have entered comments on the site.

    This issue is beyond browser level pre-population, as the email addresses ARE visible in our source code.

    I have been able to replicate the issue locally, as well has on various QA machines.

    This presents a massive security loophole.

    To define the issue from a 50 thousand foot perspective:
    + Multi-site install
    + WP Super Cache
    + DB Cache
    + Email addresses of complete strangers appearing in email fields, pre-populated in some cases
    + Visible in HTML source

  2. This is not a multisite only issue, it's an issue with the caching plugins. You should be reporting to them.

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    Check your .htaccess rules. Maybe resave your permalink settings. Also, clear the cache.

    Super cache is designed to not serve or save the static cached page if cookies exist in the request. When a person leaves a comment, cookies get set for them with their information, and this is returned in the resulting page.

    If this accidentally gets saved as the static page, then other users can get served the information too. This should be prevented by the .htaccess rules not serving the static page if a cookie is in the response.

    So, clear the cache to eliminate any incorrectly saved pages, then make sure that your .htaccess rules contain the super-cache information and such.

Topic Closed

This topic has been closed to new replies.

About this Topic