So I help a friend run a forum and today a new user registered but somehow managed to do so without setting a username.
We have our Login and Registration settings set at a minimum username length of 3 and max of 16.
Not sure how this was done, the user also made a post with nothing in the message box as well. Doesn't seem like much of a threat now, but hopefully someone here can figure out how this is possible??
Thank you, I since realized after pasting the post into Notepad++.
(2018-07-22, 12:19 AM)0xB9 Wrote: [ -> ]Thank you, I since realized after pasting the post into Notepad++.
Good catch!
I'm curious to know what he/she posted in the message box.
(2018-07-22, 12:13 AM)effone Wrote: [ -> ]He has used invisible characters.
In Windows they are not visible (sometimes) and often shows up as blank square boxes.
Look at this thread:
https://community.mybb.com/thread-218193.html
Is this what this user used on my website?
Alt-Codes?
How can this be prevented in the future? Change in the core code or a plugin?
-- Bump! --
I still like to find a way to prevent this from happening again in my website.
Any ideas?
You can ban usernames containing these characters.
I would recommend creating a whitelist instead, to only allow alpha-numeric characters. You can get characters such as 'e' from the Greek alphabet which although they look similar, have different HTML entity values and as such can be used to impersonate other users on the forum.
(2018-07-29, 08:06 AM)linguist Wrote: [ -> ]You can ban usernames containing these characters.
I know I can do that, but...
How do you ban invisible usernames?
How do I set that up in my AdminCP? What would I input in that Username box?
![[Image: b019866a47e0f77ca5714c8a94521d7f.png]](https://camo.mybb.com/50868e06c9271c8576daecde95e4d11383d2991e/68747470733a2f2f692e6779617a6f2e636f6d2f62303139383636613437653066373763613537313463386139343532316437662e706e67)
You linked the solution yourself: enter the alt-codes for the nonbreaking spaces and a wildcard on either side. Other than that, copy the "crazy" characters from the strange poll thread linked in post #2.
If you don't want to use a whitelist as suggested in post #8, but want to be safe from Unicode exploits, you need to exclude Greek and Cyrillic characters that look like Latin letters. Copy them from here, if you like:
Greek: ΑΒΕΖΗΙΚΜΝΟοΡρΤΧϹϺϲ
Cyrillic: ЅІЈАВЕКМНОРСТХаекморсхѕіјһӀӏӒӓӔӕӦӧԁԌԚԛԜԝ
Spaces:
          ​‌‍‎‏

‪‫‬‭‮ ⁠⁡⁢⁣⁤