Support » Networking WordPress » Comments Revealing Other Users Email Addresses – SECURITY ISSUE

  • Currently using a multi-site installation of wordpress using WP Super Cache and DB Cache.

    Exactly like this post:

    Various users, in various localities, are reporting an issue when they reply to a post or article on our site. When the user goes to reply to a post or article, the email address field reveals email addresses of other users who have entered comments on the site.

    This issue is beyond browser level pre-population, as the email addresses ARE visible in our source code.

    I have been able to replicate the issue locally, as well has on various QA machines.

    This presents a massive security loophole.

    To define the issue from a 50 thousand foot perspective:
    + Multi-site install
    + WP Super Cache
    + DB Cache
    + Email addresses of complete strangers appearing in email fields, pre-populated in some cases
    + Visible in HTML source

Viewing 2 replies - 1 through 2 (of 2 total)
  • This is not a multisite only issue, it’s an issue with the caching plugins. You should be reporting to them.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Check your .htaccess rules. Maybe resave your permalink settings. Also, clear the cache.

    Super cache is designed to not serve or save the static cached page if cookies exist in the request. When a person leaves a comment, cookies get set for them with their information, and this is returned in the resulting page.

    If this accidentally gets saved as the static page, then other users can get served the information too. This should be prevented by the .htaccess rules not serving the static page if a cookie is in the response.

    So, clear the cache to eliminate any incorrectly saved pages, then make sure that your .htaccess rules contain the super-cache information and such.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Comments Revealing Other Users Email Addresses – SECURITY ISSUE’ is closed to new replies.