Subscribe to Comments 2.0.4

I just released Subscribe to Comments 2.0.4 to fix a potential security issue. Thanks to Steven J. Murdoch for bringing this to my attention.

The bug is actually in WordPress 2.0.x (update coming soon) but the way Subscribe to Comments was calculating its security hashes (so other people can’t unsubscribe you), they could be manipulated to make it easier to take advantage of the bug in WordPress.

In order to be vulnerable, the following needs to be true:

  1. WordPress 2.0, 2.0.1, or 2.0.2
  2. User registration on (it is off by default)
  3. WP’s default object cache on (it is off by default in WP 2.0.2)
  4. One of either:
    • Weak MySQL password (i.e. “guessable” by dictionary attack, or blank)
    • Subscribe to Comments 2.0.0-2.0.2

Thankfully, very few WordPress installs will meet these criteria, especially since the WP object cache can only be turned on by editing wp-config.php

Other changes in Subscribe to Comments 2.0.4 include a switch from user levels to capabilities (you need manage_options to have full control of Subscribe to Comments), and several small behind the scenes improvements. Hopefully, you won’t notice that anything has changed!

11 thoughts on “Subscribe to Comments 2.0.4

  1. Thanks! But it’s still showing as 2.0.2 in the source / plugin manager. I’m not sure if that means I’ve downloaded the older file again or if you forgot to update the meta data for the plugin…

  2. Kyle Kosup says:

    Thanks for the work on this plug in!
    However I have a problem:
    As soon as I activate version 2.04 of this plug in, it generates
    the following error messages (which appear in the admin/control panel area, and also when you return to the blog and attempt to leave a comment):
    WordPress database error: [Access denied for user 'yscr_bbXXMG'@'localhost' to database 'blog']
    ALTER TABLE wp_comments ADD COLUMN comment_subscribe enum(‘Y’,’N’) NOT NULL default ‘N’
    WordPress database error: [Unknown column 'comment_subscribe' in 'where clause']

    The check box and text for subscribing showed up where you’d expect, and the admin/control panel features of the plugin work fine.
    I am using WP v.2.3 and I’m using the Blix theme.
    I’ve tried logging in as registered users with different roles, same situation.
    Any ideas how to fix this? Thanks!
    Kyle Kosup

  3. I just found this in my log files:
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT ID, post_title, post_date, COUNT(wp_comments.comment_post_ID) AS ‘comment_count’ FROM wp_posts, wp_comments WHERE comment_approved = ‘1’ AND wp_posts.ID=wp_comments.comment_post_ID AND post_status = ‘publish’ GROUP BY wp_comments.comment_post_ID ORDER BY comment_count DESC LIMIT 5 made by wp_get_most_commented_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT * FROM wp_comments WHERE comment_post_ID = 788 AND comment_approved = ‘1’ ORDER BY comment_date made by comments_template
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query DESC wp_comments made by db_upgrade_check
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query ALTER TABLE wp_comments ADD COLUMN comment_subscribe enum(‘Y’,’N’) NOT NULL default ‘N’ made by db_upgrade_check
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘post’ AND (wp_posts.post_status = ‘publish’) ORDER BY wp_posts.post_date DESC LIMIT 0, 8 made by get_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT FOUND_ROWS() made by get_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN (‘category’) AND tt.count ] 0 ORDER BY t.name ASC made by get_terms
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT comment_author, comment_author_url, comment_ID, comment_post_ID FROM wp_comments WHERE comment_approved = ‘1’ ORDER BY comment_date_gmt DESC LIMIT 5 made by wp_widget_recent_comments

    Any idea what this is about?

Comments are closed.