HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spam loophole in Articles?

It looks like there is some kind of a spam loophole that lets people without accounts post comments on articles. We do not have an issue with spam on our core Vanilla forums:



The above are two examples. Somehow the spammers can post without an account. I do have "Allow guest comments" OFF in the Dashboard settings for Articles.

Please advise...


  • Did the guest commenting form show up under an article when you were logged out even with the "allow guest comments" setting set to off?

    Add Pages to Vanilla with the Basic Pages app

  • Shadowdare, I'm not sure, but I believe so -- I ended up having to sadly disable Articles entirely given the level of spam that was hitting it.

  • ShadowdareShadowdare r_j MVP
    edited June 2015

    It looks like you found a bug that I'll fix by adding in another conditional in ComposeController->Comment() that will check if there is no user session and if the guest commenting config setting is disabled to disallow spam post submission from continuing.

    @hgtonight added in some code to check for spam in comments, but since I'm not at my computer right now, I can't check to see if it's related to handling this kind of spam as well.

    The guest commenting form has never showed up for me when the config setting was disabled and when I was logged out, so maybe bots are posting to the form directly to the controller method itself.

    Add Pages to Vanilla with the Basic Pages app

  • ShadowdareShadowdare r_j MVP
    edited July 2015

    Just made some changes to the code that should patch up the spam loophole in the ComposeController->Comment() method.

    @khalwat, thank you for trying out Articles. I'll be releasing v1.1.0 later this week. This fix should stop the spam comments caused by this loophole and I hope you would give Articles another try soon.

    Add Pages to Vanilla with the Basic Pages app

Sign In or Register to comment.