Hi all,
I will be away for a week, but I noticed a problem that had been corrected in the release of v2.2.6 that I cannot reproduce.
A guest user has posted a message without supplying a username. Prior to version 2.2.6, vBulletin would not check the username value, however beginning with 2.2.6 it checks. When I attempt to post without a username, I get a standard error telling me that I need to supply one. Searching the database for the actual post resulted in a match for "" (nothing). I tested various alternatives, such as a space, , etc. without being able to see the problem. I'm assuming that whatever characters are being used to exploit this are being stripped before going into the database, although I haven't checked the code to confirm this.
I wanted to post this now before I left to see if anyone could find the problem. This cannot be done easily (as my tests have confirmed) so I am forced to assume that these are the acts of a malicious user.
I should restate that this problem occurs with guests being permitted to post. Restricting the forum to registered users only is not an option.
I will be unable to reply until next weekend.
Many thanks,
Paul
I will be away for a week, but I noticed a problem that had been corrected in the release of v2.2.6 that I cannot reproduce.
A guest user has posted a message without supplying a username. Prior to version 2.2.6, vBulletin would not check the username value, however beginning with 2.2.6 it checks. When I attempt to post without a username, I get a standard error telling me that I need to supply one. Searching the database for the actual post resulted in a match for "" (nothing). I tested various alternatives, such as a space, , etc. without being able to see the problem. I'm assuming that whatever characters are being used to exploit this are being stripped before going into the database, although I haven't checked the code to confirm this.
I wanted to post this now before I left to see if anyone could find the problem. This cannot be done easily (as my tests have confirmed) so I am forced to assume that these are the acts of a malicious user.
I should restate that this problem occurs with guests being permitted to post. Restricting the forum to registered users only is not an option.
I will be unable to reply until next weekend.
Many thanks,
Paul
Comment