This applies to CVS revision 1.441. All registered users can delete comments by directly accessing the URL.

For example: http://yourdomain.com/?q=comment/delete/6

The only condition is that the user role must have "post comment" access turned on. All other access conditions can be turned off.

CommentFileSizeAuthor
#1 comment_29.patch935 bytesrobertgarrigos

Comments

robertgarrigos’s picture

robertgarrigos commented
Status: Active » Needs review
StatusFileSize
new comment_29.patch935 bytes

there was a line under the wrong $access value. This patch looks like resolves the problem.

Briang’s picture

Briang commented
Title: Security threat -- any user can delete comments » not quite

Your patch only works if the cache is turned on, when cache is turned off the security hole is the same as before.
I think is has to do with the following line:
if ($may_cache)

Frodo Looijaard’s picture

Frodo Looijaard commented
Title: not quite » Security threat -- any user can delete comments
Briang’s picture

Briang commented

After I turned on cache I have not been able to recreate the problem even after I turned off the cache again. How can I make sure that the cache is completely clear and reset to it's initial state?

profix898’s picture

profix898 commented

Simply empty cache table :)
DELETE FROM {cache}

dww’s picture

dww
we/he/they
commented
Status: Needs review » Reviewed & tested by the community

patch looks good. i easily recreated the security hole, applied comment_29.patch, and that plugged the hole (after toggling the cache settings). RTBC...

-derek

killes@www.drop.org’s picture

killes@www.drop.org commented
Status: Reviewed & tested by the community » Fixed

applied

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)