Support » Requests and Feedback » wp-comments-post.php misery

  • The problem: Even with CAPTCHA, WP-Hashcash, and Apache no-referrer denials in place, spambots were still posting to wp-comments-post.php and entering their viagra crap to my comments moderation queue. How is this possible, I asked? How are they getting around my Apache directives that mandate that the request have a referral from my same site? Are they actually injecting a fake referral in their bot?

    Yes, yes they were. It is trivial to do with curl. Here is an example:

    curl -e “” -d “param1=value1&param2=value2”

    -e is the post permalink (the string used as the referrer to gain access to wp-comments-post.php)

    -d is some set of variables like, “name= and comment=” where you inject the actual comment.

    The last argument is the destination, which would be your default wordpress comment post handler.

    I have read all over the Internet where admins are under the false pretense that the following Apache directives nullify direct access to wp-comment-post.php

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^/?wp-comments-post\.php.*
    RewriteCond %{HTTP_REFERER} !.** [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* – [F]

    I can assure you they do not. Every single http request is a direct request to the webserver. Referrals are generated on the client-side and can be ANYTHING, anything at all. Remember, a good sysadmin never trusts his users or their input.

    Every http request is unvetted user input.

    How could the developers have avoided putting any security into wp-comments-post.php? How could they allow direct access to that file? Why is there not some sort of token or hash that is generated from the comment form and passed via the POST? It seems reasonable to me that WP-Hashcash could pass its approval upon POST (based on some hash) and wp-comments-post.php could accept that as part of the environment.

    Yet, there is no hook and no template post variables that can be extended by plugins without hacking wp-comments-post.php. If comments are permitted by anonymous users on a post wp-comments-post.php will happily process the remote request and pass it to your moderation queue. You can inject any browser string, referral, or comment you wish, all day, every day.

    I am left scratching my head. How could direct access still be granted to wp-comments-post.php in 2010? A true fix would involve wp-comment-post.php vetting the POST of the user in some fashion.

    Anybody want to shed any light on this? Am I crazy? Has this been talked about before? Why is wp-comments-post.php such a dumb bot?

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘wp-comments-post.php misery’ is closed to new replies.