I don't think vB is checking this correctly... notifying Jelsoft now.

What are you talking about?

Ah, I see. Very weird!

What's wrong?

firefly, i think they talk about the threadstarter, there stands Thread Starte: "Is this a bug?" but the first post as you can see is from LoveShack

how'ed he do that? Oo

I reported the issue to Jelsoft. Hopefully they'll fix it in the next release. :) *crosses fingers* To clarify, the username value in the threads database shows any unregistered value that one choses ("Is this a bug?"), while the post database shows the currently logged in user (LoveShack).

yeah i know, that at the postbits the username changes with the userid, so you can rename users.
if you delete a user, it handles like thread usernames are handeld.

but i'm intrested how this bug works, what must i do to change the thread postusername?

Clearly, releasing that information before jelsoft has the chance to create a fix would undoubtedly cause problems. I'd rather give them a chance to work on this and incorporate the fix into 2.2.6 or give us instructions on how to fix it.

ok then :(
but you're right

althoug its funny ^^

Since it's not a security issue, feel free to post how it works.

Wierd

Hi,

Originally posted by tubedogg
Since it's not a security issue, feel free to post how it works.

I'd have to disagree. I think it is clearly a potential security issue. This works regardless of whether or not guest posting is enabled or disabled, therefore in an environment where only registered users may post, someone can misrepresent themselves with this exploit. For example, being registered as joeuser and having "Forum Administration" appear in the thread listing.

As this was fixed in vb2.2.6, I've posted the details below:

I have chosen to enable guest posting in my forum but did not want the username field to default to "Unregistered." I made the default username "". Vbulletin does not (much to my dismay) check for contents in the username field--neither via javascript nor internally. I therefore wanted to add this check, much in the same way checks are made for a subject and message.

When a registered user posts, there is no username input field to check since it's already supplied (the link with [logout] next to it). Therefore, I tested what would happen if I created a hidden field with a username value of "null" (i.e. <input type="hidden" name="username" value="null">). Much to my dismay, vbulletin processed that value and used it for the thread table's username information.

One can change the value of the username field in the thread display by passing it via a hidden input field. This will work so long as the value you specify is not a currently registered user.

I have not checked any other areas of the code for similar failures in checking, although I can't picture a place where this would be a problem.

I have verified that this no longer works in vb2.2.6 and the hidden username value is correctly ignored in favor of the actual logged in user.

Thanks,
Paul

P.S. -- Those that are interested, I was able to check for a username value via javascript using the following code:


if (typeof(theform.username) == "undefined") {
return true; }
else if (theform.username.value == "") {
alert("Please enter a username. You may use any nickname that is currently not registered.");
return false; }
else { return true; }


I have not tested vb2.2.6 to see if it internally checks for the presense of a username value, however if anyone can provide a quick hack to do so I'd appreciate it.

Edit: Confirmed that vb2.2.6 now does check for the presence of a username and will not accept a blank value. :)

aver......

This is happening on VB 3.0.1 . Any idea how to solve this? Users are being able to post with other user names, etc.

This thread is over 2 years old, please start a new thread with what your problems are exactly. and if you have not hacked vbulletin post it at vBulletin.com