Support » Requests and Feedback » Malformed URL bypassing moderation?

  • When spammers post a comment with a URL that starts with http://%/, it seems to confuse and/or crash the comment-handling code enough that it bypasses the content blacklisting and even the selected requirement that a comment author have a previously approved comment. These spam comments just get automatically approved. Is that field not escaped properly before being checked? Or am I missing something?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Do you have an example of the full URL being used? I’d like to try to duplicate this. Also, what version of WP are you using?

    I’m using 2.9.1.

    http://%/ is one of the URLs that was used.

    What are your comment settings in wp-admin->Settings->Discussion? Sorry. Should have asked that to start.

    Important Checked options: (All the Default article settings), Comment author must fill our name and e-mail, Comment author must have a previously approved comment, Hold a comment in the moderation queue if 2 or more links, and a number of phrases in the Comment Blacklist.

    Not Checked options: Users must be registered and logged in to comment, An administrator must always approve the comment

    So a random reader should be able to post a comment, but it should be held for moderation if they haven’t had an approved comment before or if they include blacklisted strings or too many links.

    The comments that are causing trouble come from unregistered users, and they put an http://%/….. url in the “Website” field of their comment. They put regular spam stuff in the comment content field.

    I’ll have to hunt in the DB for the offending posts, because they also seem to have null email addresses, but I’ll need to verify that.

    I can’t replicate the behavior using URLs like that, and it has only been a few offending posts, but still annoying.

    i have the same situation:

    spam comment

    and spam comment is automatically confirmed, even i had option –
    Before a comment appears “Comment author must have a previously approved comment” – enabled

    also E-mail is empty – theoretically user can’t post comment with an empty e-mail address

    also i found that “comment_type” is trackback …

    Other comment settings:
    Comment author must fill out name and e-mail.
    Before a comment appears:
    Comment author must have a previously approved comment.
    I’m using:
    WordPress 3.0 stable

    “Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked.”

    sou – as i understand – trackbacks can be faked and trackbags always are automatically confirmed ?

    Moderator James Huff


    Halfelf Minion 🚀

    Yes, the trackback protocol is primitive at best. A trackback requires nothing more that a simple submission of data to a specific file and therefore the origin cannot be validated.

    The moderation list, blacklist, Akismet, and various other anti-spam plugin are capable of filtering all incoming trackbacks.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Malformed URL bypassing moderation?’ is closed to new replies.