phpBB vulnerability and fix (asterisks in user names)

Reply Sun 21 Mar, 2004 06:09 pm
Asterisks in usernames are a low level vulnerability. Because it serves as a wildcard the search for the member's post can slow the board to a crawl if search engines find the usernames.

I've reported this to phpBB, but I do not know what they will do about it so I'll release a code snippet to fix this here.

Note: The search can still be manually called but the following fix will at least prevent registration of asterisks as usernames and thusly prevent search engines from trying to spider the asterisk search.

in includes/functions_validate.php


// Don't allow " and ALT-255 in username.
if (strstr($username, '"') || strstr($username, '"') || strstr($username, chr(160)))

replace with

// Don't allow ", * and ALT-255 in username.
if (strstr($username, '"') || strstr($username, '"') || strstr($username, '*') || strstr($username, '%2A') || strstr($username, chr(160)))

Note, I'd like to stress that this is closer to a bug than a serious vulnerability. DoS attacks can be performed on any site and the only real methid to prevent this is on a hardware level.

So this is not to be taken as shoddy security on the part of phpBB, it's just a small issue that can be prevented.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,455 • Replies: 0
No top replies


Related Topics

In How much time a website can be developed? - Question by aussiejumpingcastle
Webdevelopment and hosting - Question by harisit2005
Showing an Ico File - Discussion by Brandon9000
how to earn money in internet - Discussion by rizwanaraj
The version 10 bug. Worse then Y2K! - Discussion by Nick Ashley
CSS Border style colors - Question by meesa
There is no Wisdom in Crowds - Discussion by ebrown p
THANK YOU CRAVEN AND NICK!!! - Discussion by dagmaraka
I'm the developer - Discussion by Nick Ashley
  1. Forums
  2. » phpBB vulnerability and fix (asterisks in user names)
Copyright © 2021 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 07/30/2021 at 10:29:18