When spammers post a comment with a URL that starts with http://%/, it seems to confuse and/or crash the comment-handling code enough that it bypasses the content blacklisting and even the selected requirement that a comment author have a previously approved comment. These spam comments just get automatically approved. Is that field not escaped properly before being checked? Or am I missing something?
Malformed URL bypassing moderation? (9 posts)
-
fxpal
Posted 2 years ago # -
s_ha_dum (was apljdi)
Posted 2 years ago #Do you have an example of the full URL being used? I'd like to try to duplicate this. Also, what version of WP are you using?
-
Posted 2 years ago #I'm using 2.9.1.
http://%/JoJozuru.ru is one of the URLs that was used.
-
Posted 2 years ago #What are your comment settings in wp-admin->Settings->Discussion? Sorry. Should have asked that to start.
-
Posted 2 years ago #Important Checked options: (All the Default article settings), Comment author must fill our name and e-mail, Comment author must have a previously approved comment, Hold a comment in the moderation queue if 2 or more links, and a number of phrases in the Comment Blacklist.
Not Checked options: Users must be registered and logged in to comment, An administrator must always approve the comment
So a random reader should be able to post a comment, but it should be held for moderation if they haven't had an approved comment before or if they include blacklisted strings or too many links.
The comments that are causing trouble come from unregistered users, and they put an http://%/..... url in the "Website" field of their comment. They put regular spam stuff in the comment content field.
-
Posted 2 years ago #I'll have to hunt in the DB for the offending posts, because they also seem to have null email addresses, but I'll need to verify that.
I can't replicate the behavior using URLs like that, and it has only been a few offending posts, but still annoying.
-
capsx
Posted 1 year ago #i have the same situation:
VIRGIL
http://%/zzvwuok8
spam commentand spam comment is automatically confirmed, even i had option -
Before a comment appears "Comment author must have a previously approved comment" - enabledalso E-mail is empty - theoretically user can't post comment with an empty e-mail address
also i found that "comment_type" is trackback ...
---
Other comment settings:
Comment author must fill out name and e-mail.
Before a comment appears:
Comment author must have a previously approved comment.
I'm using:
WordPress 3.0 stable -
Posted 1 year ago #"Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked."
sou - as i understand - trackbacks can be faked and trackbags always are automatically confirmed ?
-
Yes, the trackback protocol is primitive at best. A trackback requires nothing more that a simple submission of data to a specific file and therefore the origin cannot be validated.
The moderation list, blacklist, Akismet, and various other anti-spam plugin are capable of filtering all incoming trackbacks.
Topic Closed
This topic has been closed to new replies.
