vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   HELP! Need help blocking invisible unicode chars in usernames. (https://vborg.vbsupport.ru/showthread.php?t=247166)

dvg323 07-23-2010 08:18 PM
HELP! Need help blocking invisible unicode chars in usernames.
 
Hello,

I am running vB 3.8.6 (it's outdated, I know, but the people who host/own our forums refuse to respond to my pleas to update).

There are users who are joining with invisible space Unicode characters and naming themselves after moderators. The vB treats them as 2 users, but I noticed that when I banned "_Moderator" (Where "_" is the invisible space), it not only banned the fake account but the REAL moderator account as well. To combat this I had to rename the account to Moderator2 so that I could ban (and rename) the fake account. I am worried that this exploit may possibly grant these dupe accounts access to the staff forums. I do not know which Unicode symbols they are using, because when they register as a string of them we cannot click their usernames, and we do not know what to search.

If there's a list of blank space unicode characters that I can add to the block list I'd REALLY appreciate some direction on where to go.

Thanks a lot in advance. :)

edit: Managed to use some trickery to pull up one of their usernames. Here is a copy/paste job of it:
" " <--- It is copy/pasted between these quotation marks.
" " <--- Another
" " <-- A third one.-

BirdOPrey5 07-24-2010 01:37 AM
3.8.6 is the pinnacle of vB achievement, it is NOT outdated. Your forum overlords are wise for not upgrading, I don't see anything in vb4 that would solve this problem.

snakes1100 07-24-2010 11:55 AM
if your running 3.8.6 & not 3.8.6 pl1, you better upgrade before your hacked.

admincp --> vbulletin options --> user registrations --> username regular expression

^[A-Za-z0-9 ]+$

limit usernames to alpha char's, numbers & spaces only.

BirdOPrey5 07-24-2010 12:58 PM
Quote:
Originally Posted by snakes1100 (Post 2073823)
if your running 3.8.6 & not 3.8.6 pl1, you better upgrade before your hacked.

admincp --> vbulletin options --> user registrations --> username regular expression

^[A-Za-z0-9 ]+$

limit usernames to alpha char's, numbers & spaces only.
Would that screw up people who registered before with apostrophes? Or is there a way to add apostrophes to the allowed list?

snakes1100 07-24-2010 03:45 PM
No, it will not interfere with users who are already registered.

BirdOPrey5 07-24-2010 03:53 PM
Thanks, I actually found this regular expression:
Code:
^[a-zA-Z0-9\s.\-_']+$
Which allows for more characters but still prevents the 'hidden' ones.

snakes1100 07-24-2010 04:01 PM
Should work fine.

You can also strip char's out with this, when they try to register.

^((?!&#\d+;)[\x20-\x7E])+$


All times are GMT. The time now is 05:39 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00957 seconds
  • Memory Usage 1,725KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete