vb.org Archive - Is something not right here?

Hi,

Quote:

Originally posted by tubedogg
Since it's not a security issue, feel free to post how it works.

I'd have to disagree. I think it is clearly a potential security issue. This works regardless of whether or not guest posting is enabled or disabled, therefore in an environment where only registered users may post, someone can misrepresent themselves with this exploit. For example, being registered as joeuser and having "Forum Administration" appear in the thread listing.

As this was fixed in vb2.2.6, I've posted the details below:

I have chosen to enable guest posting in my forum but did not want the username field to default to "Unregistered." I made the default username "". Vbulletin does not (much to my dismay) check for contents in the username field--neither via javascript nor internally. I therefore wanted to add this check, much in the same way checks are made for a subject and message.

When a registered user posts, there is no username input field to check since it's already supplied (the link with [logout] next to it). Therefore, I tested what would happen if I created a hidden field with a username value of "null" (i.e. <input type="hidden" name="username" value="null">). Much to my dismay, vbulletin processed that value and used it for the thread table's username information.

One can change the value of the username field in the thread display by passing it via a hidden input field. This will work so long as the value you specify is not a currently registered user.

I have not checked any other areas of the code for similar failures in checking, although I can't picture a place where this would be a problem.

I have verified that this no longer works in vb2.2.6 and the hidden username value is correctly ignored in favor of the actual logged in user.

Thanks,
Paul

P.S. -- Those that are interested, I was able to check for a username value via javascript using the following code:

Code:

                if (typeof(theform.username) == "undefined") {

                              return true; }

                else if (theform.username.value == "") {

                              alert("Please enter a username. You may use any nickname that is currently not registered.");

                              return false; }

                else { return true; }

I have not tested vb2.2.6 to see if it internally checks for the presense of a username value, however if anyone can provide a quick hack to do so I'd appreciate it.

Edit: Confirmed that vb2.2.6 now does check for the presence of a username and will not accept a blank value. :)

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01583 seconds Memory Usage 1,727KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: