PDA

View Full Version : Issue with the ability to "impersonate" a user


vB.Org System
09-08-2010, 02:30 PM
Over the past weekend, an issue (http://www.vbulletin.com/forum/showthread.php?361721-Security-flaw-found-in-vBulletin-versions-up-to-3.8.5-inclusive) was reported with vBulletin that may enable a user to "impersonate" another forum user.

The issue occurs if a user elects to register on a site with a username that mimics an existing username on the site but also contains "&" or "#" characters.
The possible implication is that it presents a possibility of this new username accidentally being the recipient of new PM's that are sent that were intended for the original user.
Testing has indicated that it is not possible for the new user to gain the original users password, access credentials, nor have access to any of their permissions, as a result we do not believe this issue to be a security concern.
The issue affects all versions of vBulletin prior to 3.8.5 and as we understand, has been reported previously, but we understand was not actioned on by vBulletin's development team at that point in time.
The issue's existence was unintentionally fixed as a result of this bug fix (http://tracker.vbulletin.com/browse/VBIII-12511). This fix is not the permanent fix for this issue, however if you are operating a version 3.8.6 and newer, you are not affected by this concern.
We will be creating a more permanent fix via a patch that will prevent future creation of accounts that contain special Unicode characters and imitate an existing user account for vBulletin 3.7.7 and 3.8.6
Additionally you may prevent any issue arising by entering the following expression into the User Registration Options:
vBulletin Options > vBulletin Options > User Registration Options > Username Regular Expression: ^[A-Za-z0-9 ]+$
As a cautionary note, this will limit usernames to just containing alpha-numeric English characters, if you would like your userbase to utilize non-English characters, you may need to edit this regex appropriately.
The permanent solution we will develop will not have this restriction on characters.
Thanks,
Adrian


More... (http://www.vbulletin.com/forum/showthread.php?361933-Issue-with-the-ability-to-quot-impersonate-quot-a-user&goto=newpost)