Asterisks in usernames are a
low level vulnerability. Because it serves as a wildcard the search for the member's post can slow the board to a crawl if search engines find the usernames.
I've reported this to phpBB, but I do not know what they will do about it so I'll release a code snippet to fix this here.
Note: The search can still be manually called but the following fix will at least prevent registration of asterisks as usernames and thusly prevent search engines from trying to spider the asterisk search.
in includes/functions_validate.php
Code:find
// Don't allow " and ALT-255 in username.
if (strstr($username, '"') || strstr($username, '"') || strstr($username, chr(160)))
replace with
// Don't allow ", * and ALT-255 in username.
if (strstr($username, '"') || strstr($username, '"') || strstr($username, '*') || strstr($username, '%2A') || strstr($username, chr(160)))
Note, I'd like to stress that this is closer to a bug than a serious vulnerability. DoS attacks can be performed on any site and the only real methid to prevent this is on a hardware level.
So this is not to be taken as shoddy security on the part of phpBB, it's just a small issue that can be prevented.
Stumble It!
Tweet This
Bookmark on Delicious
Share on Facebook
Share on MySpace