MyBB Community Forums

Full Version: [F] Duplicate user-names (a race condition?)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
MyBB 1.2
I have found in my DB users with same usernames and consecutive UID-s (e.g. 17000 and 17001; same e-mails etc.). I do not know how they were created (accounts were registered by forum), but it can be a race condition (check if user exist and then insert user).

A simple solution is a UNIQUE INDEX for username column in mybb_users.

MyBB 1.2 does not have any index on username, MyBB 1.4 have only "INDEX".

UNIQUE INDEX also solves "MySQL and SQL Column Truncation Vulnerabilities" (although MyBB seems to be invulnerable for this because of removing multiple spaces from username in datahandler\user.php).
If you can reproduce this, then we can count it as a bug.

MySQL would error (iirc) if we tried to set the column to UNIQUE INDEX and if there would be duplicate usernames (such as in your case). Which would then mean we would have to loop through and check for duplicates on all the usernames - And in the event we did find something, then what would we do? We can't just remove the account or rename it without involving a whole ton of other things.
CREATE TABLE mybb_users (
  uid int unsigned NOT NULL auto_increment,
  username varchar(120) NOT NULL default '',
  password varchar(120) NOT NULL default '',
  salt varchar(10) NOT NULL default '',
  loginkey varchar(50) NOT NULL default '',

-- ...

  unreadpms int(10) NOT NULL default '0',
  warningpoints int(3) NOT NULL default '0',
  moderateposts int(1) NOT NULL default '0',
  moderationtime bigint(30) NOT NULL default '0',
  suspendposting int(1) NOT NULL default '0',
  suspensiontime bigint(30) NOT NULL default '0',
  coppauser int(1) NOT NULL default '0',
  classicpostbit int(1) NOT NULL default '0',
  UNIQUE KEY username (username),
  KEY usergroup (usergroup),
  KEY birthday (birthday),

It does look like there's a UNIQUE KEY on the username. If it's not there, it's possible for things to stuff up in a multi-process environment...
Hmmm... It seems that MyBB 1.4 install script creates mybb_users with UNIQUE KEY on username but MyBB 1.2 -> 1.4 upgrade script don't:
(file install/resources/upgrade12.php):
    $db->write_query("ALTER TABLE ".TABLE_PREFIX."users DROP KEY username");
$db->write_query("ALTER TABLE ".TABLE_PREFIX."users ADD KEY username (username)");

So my original bug report is somewhat bogus Smile - the upgrade script has a flaw instead.
ah, wonder how that got missed o.o
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.