MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.1 > [F] Duplicate user-names (a race condition?)
Full Version: [F] Duplicate user-names (a race condition?)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

koziolek

2008-09-12, 07:53 AM
MyBB 1.2
I have found in my DB users with same usernames and consecutive UID-s (e.g. 17000 and 17001; same e-mails etc.). I do not know how they were created (accounts were registered by forum), but it can be a race condition (check if user exist and then insert user).

A simple solution is a UNIQUE INDEX for username column in mybb_users.

MyBB 1.2 does not have any index on username, MyBB 1.4 have only "INDEX".

UNIQUE INDEX also solves "MySQL and SQL Column Truncation Vulnerabilities" (although MyBB seems to be invulnerable for this because of removing multiple spaces from username in datahandler\user.php).

Ryan Gordon

2008-09-12, 09:36 PM
If you can reproduce this, then we can count it as a bug.

MySQL would error (iirc) if we tried to set the column to UNIQUE INDEX and if there would be duplicate usernames (such as in your case). Which would then mean we would have to loop through and check for duplicates on all the usernames - And in the event we did find something, then what would we do? We can't just remove the account or rename it without involving a whole ton of other things.

Yumi

2008-09-13, 10:33 AM
CREATE TABLE mybb_users (
  uid int unsigned NOT NULL auto_increment,
  username varchar(120) NOT NULL default '',
  password varchar(120) NOT NULL default '',
  salt varchar(10) NOT NULL default '',
  loginkey varchar(50) NOT NULL default '',

-- ...

  unreadpms int(10) NOT NULL default '0',
  warningpoints int(3) NOT NULL default '0',
  moderateposts int(1) NOT NULL default '0',
  moderationtime bigint(30) NOT NULL default '0',
  suspendposting int(1) NOT NULL default '0',
  suspensiontime bigint(30) NOT NULL default '0',
  coppauser int(1) NOT NULL default '0',
  classicpostbit int(1) NOT NULL default '0',
  UNIQUE KEY username (username),
  KEY usergroup (usergroup),
  KEY birthday (birthday),
  PRIMARY KEY (uid)
) TYPE=MyISAM;

It does look like there's a UNIQUE KEY on the username. If it's not there, it's possible for things to stuff up in a multi-process environment...

koziolek

2008-09-13, 11:29 AM
Hmmm... It seems that MyBB 1.4 install script creates mybb_users with UNIQUE KEY on username but MyBB 1.2 -> 1.4 upgrade script don't:
(file install/resources/upgrade12.php):
if($index)
{
    $db->write_query("ALTER TABLE ".TABLE_PREFIX."users DROP KEY username");
}
$db->write_query("ALTER TABLE ".TABLE_PREFIX."users ADD KEY username (username)");

So my original bug report is somewhat bogus Smile - the upgrade script has a flaw instead.

Ryan Gordon

2008-09-13, 05:45 PM
ah, wonder how that got missed o.o

Ryan Gordon

2008-09-13, 05:46 PM
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.1 > [F] Duplicate user-names (a race condition?)