1 (edited by 2014-03-31 16:20:39)

Topic: Security issue with comments v2.0.1

There appears to be a security issue with the comments section of V2.0.1

As I have tried to inform support of this through several channels- and it is a SECURITY ISSUE, to have no response from support is itself an issue.

Since upgrading to V2.0.1 I have had a number of spam or simply plain nonsensical comments added.

See attached images.

After a comment is added, no details other than date are shown in the  Dashboard comments admin section. All other comment data disappears. - see clipboard01.jpg
https://cutephp.com/forum/uploads/monthly_03_2014/post-3081-1395649092.jpg

After comment is deleted, details return to the dashboard comments section:
https://cutephp.com/forum/uploads/monthly_03_2014/post-3081-1395649491.jpg

Captcha is enabled.

Due to this, which I consider a security issue, I have disabled comments except for registered users only.

Script writers please look into this asap.

If this security bug is not addressed I will revert back to V2, which does not have this issue.

Is anyone else experiencing this with comments ?? as I have identical issues on two websites with separate Cutenews installations...

Re: Security issue with comments v2.0.1

Is this fixed already?

Re: Security issue with comments v2.0.1

Dear User!

Could you kindly send us a sample of a news text that leads to that problem. Also, kindly give us the precise number of news you have on the website.

Best regards,
CN Support team

Re: Security issue with comments v2.0.1

Dear User!

Could you kindly send us a sample of a news text that leads to that problem. Also, kindly give us the precise number of news you have on the website.

I don't see the relevance to number of news, but active news varies from 1 to 70 items each month prior to archiving.
The archives probably contain over 500 items.

The spamming comments are inserted from news items called from the archived content.
When such a comment is posted, there is no information in the dashboard other than the date and time - no IP etc etc - and all other comment entries do not show until the offending item has been deleted.

Re: Security issue with comments v2.0.1

This issue is still outstanding in limbo - it is not possible to correctly, efficiently and securely manage the comments section while this issue persists.

Please advise if this matter is being addressed, as it does represent a security issue with the script.

Rgds

Re: Security issue with comments v2.0.1

I am now advising admin and users of this script of an unaddressed security issue with the comments section of this script which I have reported many times and which remains unresolved..

Today the following entry appeared in my mailbox through the comments notification process

New Comment was added by Pharmf163 on 14 May 2014 at https://app01.kaonavi.jp/apc/

Very nice site!

The site is NOT my site - how can a comment be added to my site that then shows it being added to a different URL.

The comments admin page shows only this:
https://cutephp.com/forum/uploads/monthly_05_2014/post-3081-1400071694.jpg

THIS IS A SECURITY ISSUE.

All users of this script are exposing their website to such issues.

Re: Security issue with comments v2.0.1

Ok,I got it,Thank you!

Re: Security issue with comments v2.0.1

In March I drew attention to a security issue regarding the comments section of this script.

This issue has not been addressed.

Why?

Posts: 9

Pages 1

You must login or register to post a reply

CutePHP Forums → Problem Solving / Help & Support → Security issue with comments v2.0.1