The Arcive of Official vBulletin Modifications Site.

Is something not right here? · **Released**: 05-16-2002

I don't think vB is checking this correctly... notifying Jelsoft now.

tubedogg · #12 05-16-2002, 10:52 PM

Since it's not a security issue, feel free to post how it works.

Xanthine · #13 05-16-2002, 11:54 PM

Wierd

Paul · #14 06-05-2002, 02:08 AM

Hi,

Quote:

Originally posted by tubedogg
Since it's not a security issue, feel free to post how it works.

I'd have to disagree. I think it is clearly a potential security issue. This works regardless of whether or not guest posting is enabled or disabled, therefore in an environment where only registered users may post, someone can misrepresent themselves with this exploit. For example, being registered as joeuser and having "Forum Administration" appear in the thread listing.

As this was fixed in vb2.2.6, I've posted the details below:

I have chosen to enable guest posting in my forum but did not want the username field to default to "Unregistered." I made the default username "". Vbulletin does not (much to my dismay) check for contents in the username field--neither via javascript nor internally. I therefore wanted to add this check, much in the same way checks are made for a subject and message.

When a registered user posts, there is no username input field to check since it's already supplied (the link with [logout] next to it). Therefore, I tested what would happen if I created a hidden field with a username value of "null" (i.e. <input type="hidden" name="username" value="null">). Much to my dismay, vbulletin processed that value and used it for the thread table's username information.

One can change the value of the username field in the thread display by passing it via a hidden input field. This will work so long as the value you specify is not a currently registered user.

I have not checked any other areas of the code for similar failures in checking, although I can't picture a place where this would be a problem.

I have verified that this no longer works in vb2.2.6 and the hidden username value is correctly ignored in favor of the actual logged in user.

Thanks,
Paul

P.S. -- Those that are interested, I was able to check for a username value via javascript using the following code:

Code:

                if (typeof(theform.username) == "undefined") {
                              return true; }
                else if (theform.username.value == "") {
                              alert("Please enter a username. You may use any nickname that is currently not registered.");
                              return false; }
                else { return true; }

I have not tested vb2.2.6 to see if it internally checks for the presense of a username value, however if anyone can provide a quick hack to do so I'd appreciate it.

Edit: Confirmed that vb2.2.6 now does check for the presence of a username and will not accept a blank value.

#15 06-18-2002, 03:27 PM

aver......

hamy · #16 12-07-2004, 01:37 PM

This is happening on VB 3.0.1 . Any idea how to solve this? Users are being able to post with other user names, etc.

Zachery · #17 12-07-2004, 01:49 PM

This thread is over 2 years old, please start a new thread with what your problems are exactly. and if you have not hacked vbulletin post it at vBulletin.com

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04262 seconds Memory Usage 2,258KB Queries Executed 23 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)bbcode_code (1)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (7)post_thanks_box (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (7)post_thanks_postbit_info (6)postbit (6)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!