tniessen
Forum Replies Created
-
Forum: Plugins
In reply to: [kk Star Ratings - Rate Post & Collect User Feedbacks] VulnerabilitiesThanks for fixing #1! But I think it is still possible to rate an article several times from a single IP address:
curl --data "action=kksr_ajax&id=$POST_ID&stars=$STARS&_wpnonce=$NONCE" $BLOG_URL/wp-admin/admin-ajax.phpThis performance test is actually better because it also compares the resulting strings as you would do in the code.
Line 72 of js.js prevents users from clicking stars if they already voted.
I cannot reproduce the problem. What you describe seems to me like a JavaScript type conversion problem:
(“true” == “true”) == true
(“false” == “true”) == false
(true == “true”) == false
(false == “true”) == falseeval(“true”) == true
eval(true) == truealert(“true”) // shows true
alert(true) // shows trueIf
disableistrue(boolean) instead of'true'(String) the expressiondisable == "true"will return false and therefore fail.So far this seems to be comprehensible, but
kksr_ajax(index.php) always sends strings, not booleans. Additionally, there should not be a difference between visitors and registered users.I personally would not use
evalbut rather a simpleString(performance comparison):(String(“true”) == “true”) == true
(String(“false”) == “true”) == false
(String(true) == “true”) == true
(String(false) == “true”) == falseYou might want to change
if(eval(disable))
to
if(String(disable) == ‘true’)
Regards
tniessenAs far as I know there is no relation to user logins. Relevant code is located in index.php (
markupfunction in line 444) and js.js (line 72).There is actually no code that prevents users from voting multiple times. Even if you already voted you can send an infinite number of HTTP requests and this plugin will process them as usual (thread).
IP addresses are stored in the postmeta table (
wp_postmetaby default).The following MySQL statement deletes all IP records, thus it allows visitors to vote again on all posts:
DELETE FROM wordpress.wp_postmeta WHERE wp_postmeta.meta_key = '_kksr_ips';
You may need to replacewordpresswith your database name andwp_postmetawith the name of your postmeta table (table name prefix +postmeta).To reset IP records of a single post you can use this statement:
DELETE FROM wordpress.wp_postmeta WHERE wp_postmeta.meta_key = '_kksr_ips' AND wp_postmeta.post_id = '999';
where999is the post id.Best regards
tniessen