new vb exploit! :S

[rob01]

there is a new vb exploit problem!


im not sure if it was already fixed in verison 3.8.2, but is still available under 3.8.1 and 3.8.2



picture::



cheers


ahh sorry about the double post... pls delete the other post

[Michael.A]

how did u use the same name????

[rob01]

is a name exploit ! all vb 3.8.* has it

[TigerC10]

It results from a bad import of data, it's not an exploit - it's bad administration.

[BlueNinjaGo]

Quote:

Originally Posted by TigerC10

It results from a bad import of data, it's not an exploit - it's bad administration.

Like how? So I can avoid it...

an Exploit is something that can help a hacker insert or extract data from the engine, not changing username of a member post...

and from what i see from the screeny, if it's not a very modified vBulletin *(with possible flaws due to modifications) it's a phpBB forum.

[TigerC10]

Quote:

Originally Posted by BlueNinjaGo

Like how? So I can avoid it...

One case is if you restore a database backup and an error occurs during restoration. Another, more common occurance, is when merging one board into another board where the username already exists. I've even experienced it when an admin switches vB over to something else like PHPBB and then switches back over to vB - duplication occurs.

Anyway, after importing data the admin should always check for username duplication.

Quote:

Originally Posted by nexialys

an Exploit is something that can help a hacker insert or extract data from the engine, not changing username of a member post...

I disagree, if a person were able to change their username upon post - it is still an exploit. It may not be a traditional "hack", but it is still considered an exploit.

Quote:

Originally Posted by nexialys

and from what i see from the screeny, if it's not a very modified vBulletin *(with possible flaws due to modifications) it's a phpBB forum.

If it is a PHPBB forum, then they're using the vBulletin online status image next to the username.

[rob01]

is not PHPBB

is not a bad merge since this forum has been using vb since ages, and is not a databese backup , since this is posible to do in other vb forums

cheers

i dont think the other vb forums have the same problem of bad import data

but this forum is since 2007 or older.. and they always have used vb

[TigerC10]

It could be a database backup, do you host this website yourself or do you have a hosting provider? Because I've known hosting providers to lose servers and restore backups only to have a hitch in the backup or in the restoration of the backup.

EDIT:
Nevermind, I figured this one out. Instead of using a standard "M" in the username, this person used the greek letter Mu html character code "Μ" or "Μ". This allows for a completly new user with the name that looks just like someone else's since the character "Mu" is not the same as M.

Here's a list of some other greek symbols that can be used for registration fake outs:
http://www.w3schools.com/tags/ref_symbols.asp

Alpha, Beta, Epsilon, Zeta, Eta, Iota, Kappa, Mu, Nu, Omicron, Rho, Tau, Upsilon, Chi


To fix it, add these to your illegal user names

AdminCP -> vBulletin Options -> User Registration Options -> Illegal User Names

Code:

Α Β Ε Ζ Η Ι Κ Μ Ν Ο Ρ Τ Υ Χ ν ο

Code:

Α Β Ε Ζ Η Ι Κ Μ Ν Ο Ρ Τ Υ Χ ν ο

Or if you really want to be strict about it, just add a singular semicolin like ';' to the illegal name list.

[BlueNinjaGo]

Nevermind, didn't see your edit.