WordPress Unauthorised Comments Disclosure

June 1, 2007 on 12:54 am | In News |

Sid from notsosecure.com informed us today of a low risk (yet interesting) vulnerability he has found in WordPress.

An attacker can read comments on posts that have not been moderated. This can be a real security risk if blog admins are using unmoderated comments (comments that have not been made public) to hide sensitive notes regarding posts, future work, passwords etc. So please be careful if you are one of these blog admins.

The following (example) cookie is set in the browser when a user submits a comment:

comment_author_4a8287188f05d2a891382f06d83a93c6=Test+User;
comment_author_email_4a8287188f05d2a891382f06d83a93c6=testuser%40test.com;
comment_author_url_4a8287188f05d2a891382f06d83a93c6=deleted;

The cookie seen above is not random, although this does look the case at first glance. The only information that changes between users submitting comments is the actual user data (i.e. Username, Email Address). This means attackers can view unmoderated comments when supplying a valid Author name and Email.

I feel WordPress can do alot more with regards to session security, and I hope they will take a hard look at this for future releases. WordPress stores alot of critical information in static cookies (i.e. password). This means if an attacker gets hold of the admin cookies, your blog will be vulnerable not for the duration of the cookie, but for the duration of your password, making replay attacks possible for a very lengthy or sometimes indefinite period.

Thanks again to sid for keeping us informed.

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. […] Unauthorised Comments Disclosure (more) […]

    Pingback by BlogSecurity » WordPress BlogWatch — June 1, 2007 #

  2. […] By Enumerating, the name and email address of a comment author, an attacker can read the comment submitted by the author while the comment still waits an administrator to approve it and publish it. This again points to the need for a better session management in Wordpress. Read the full story here […]

    Pingback by » Wordpress Unauthorized Comment Disclosure » www.notsosecure.com — June 1, 2007 #

  3. […] Uma descrição completa (em inglês) está disponível aqui. […]

    Pingback by SecBlog » Falha de baixo risco no Wordpress — June 4, 2007 #

  4. That is a feature, not a bug, and was “reported” years ago when the feature was introduced.

    Comment by Matt — June 5, 2007 #

  5. Matt, your starting to sound like Microsoft ;>

    Thanks for the feedback.

    Comment by David Kierznowski — June 5, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Entries and comments feeds. Valid XHTML and CSS. ^Top^
Except where otherwise noted, content on this site is licensed under the Attribution-NonCommercial-NoDerivs License