WordPress.org

Ready to get started?Download WordPress

Forums

Malformed URL bypassing moderation? (9 posts)

  1. fxpal
    Member
    Posted 4 years ago #

    When spammers post a comment with a URL that starts with http://%/, it seems to confuse and/or crash the comment-handling code enough that it bypasses the content blacklisting and even the selected requirement that a comment author have a previously approved comment. These spam comments just get automatically approved. Is that field not escaped properly before being checked? Or am I missing something?

  2. s_ha_dum
    Member
    Posted 4 years ago #

    Do you have an example of the full URL being used? I'd like to try to duplicate this. Also, what version of WP are you using?

  3. fxpal
    Member
    Posted 4 years ago #

    I'm using 2.9.1.

    http://%/JoJozuru.ru is one of the URLs that was used.

  4. s_ha_dum
    Member
    Posted 4 years ago #

    What are your comment settings in wp-admin->Settings->Discussion? Sorry. Should have asked that to start.

  5. fxpal
    Member
    Posted 4 years ago #

    Important Checked options: (All the Default article settings), Comment author must fill our name and e-mail, Comment author must have a previously approved comment, Hold a comment in the moderation queue if 2 or more links, and a number of phrases in the Comment Blacklist.

    Not Checked options: Users must be registered and logged in to comment, An administrator must always approve the comment

    So a random reader should be able to post a comment, but it should be held for moderation if they haven't had an approved comment before or if they include blacklisted strings or too many links.

    The comments that are causing trouble come from unregistered users, and they put an http://%/..... url in the "Website" field of their comment. They put regular spam stuff in the comment content field.

  6. fxpal
    Member
    Posted 4 years ago #

    I'll have to hunt in the DB for the offending posts, because they also seem to have null email addresses, but I'll need to verify that.

    I can't replicate the behavior using URLs like that, and it has only been a few offending posts, but still annoying.

  7. capsx
    Member
    Posted 4 years ago #

    i have the same situation:

    VIRGIL
    http://%/zzvwuok8
    spam comment

    and spam comment is automatically confirmed, even i had option -
    Before a comment appears "Comment author must have a previously approved comment" - enabled

    also E-mail is empty - theoretically user can't post comment with an empty e-mail address

    also i found that "comment_type" is trackback ...

    ---

    Other comment settings:
    Comment author must fill out name and e-mail.
    Before a comment appears:
    Comment author must have a previously approved comment.
    I'm using:
    WordPress 3.0 stable

  8. capsx
    Member
    Posted 4 years ago #

    "Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked."

    sou - as i understand - trackbacks can be faked and trackbags always are automatically confirmed ?

  9. Yes, the trackback protocol is primitive at best. A trackback requires nothing more that a simple submission of data to a specific file and therefore the origin cannot be validated.

    The moderation list, blacklist, Akismet, and various other anti-spam plugin are capable of filtering all incoming trackbacks.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags