[Rejected] Registeration exploit & login problems.
#1
Hey. One of my forum member noticed that you can register account using same email address thats already used by adding +1 end of the email address. 
E.g. Someone uses email [email protected] - someone other can register an account using the exact same email by using [email protected]+1 as email address.
Would be great if you fix this exploit in your new build.

I am also facing problems with login. About month ago, one of my community admin couldnt login as it says something about incorrect fields. It also fucks up the login screen like this: http://puu.sh/mZabd/65e2a46898.png
Only 2 admin ranked members has faced this problem for now, i havent heard if any member has and i don't want to.

Please, fix or help me to fix these problems. Sorry for my bad english
Reply
#2
For 1) Weird. The function should return false with the +1 in the email.

2) Do you have a link?
Reply
#3
Ahem, answer to For 2) what link? Link to my forum or what? Also, is it even allowed to link another forums here?

I probably know the way to fix the multiregisteration bug, but wanted to inform MyBB about this, so they can fix it as they know how the system works.
Reply
#4
As nth said, entering Emails with + in the domain part is impossible on a clean MyBB forum. You can try it here. And nothing would be even delivered, that's not how aliases work... It's possible to use . and + in the first part though, which makes it indeed possible to reuse an Email. I'm sure it was discussed somewhere.

EDIT: here http://community.mybb.com/thread-131891.html
A solution would be comparing duplicate Emails without dots and +xyz at the end if the setting is enabled. But while it's simple to detect [email protected] if [email protected] is already registered, checking it the other way round would require a much less optimal query. Another problem is different handling of these characters on different domains.

There is no point in creating a thread for more than 1 issue, especially that the 2nd one is neither a bug (rather a theme issue) nor connected with the 1st one.. Please open a support thread instead.
Reply
#5
We could probably start using filter_var(), though.
Reply
#6
Well, got the message clearly. But as you said, "in clean version of MyBB", that was unclear. There were other forums with the exact same problem and they don't even know about this little, but still very affective exploit.
Reply
#7
(2016-02-13, 09:15 PM)nth Wrote: We could probably start using filter_var(), though.

filter_var() is problematic (e.g. IDN domains are not supported) and doesn't solve this issue.
Reply
#8
(2016-02-13, 05:34 PM)Destroy666 Wrote: As nth said, entering Emails with + in the domain part is impossible on a clean MyBB forum. You can try it here. And nothing would be even delivered, that's not how aliases work... It's possible to use . and + in the first part though, which makes it indeed possible to reuse an Email. I'm sure it was discussed somewhere.

EDIT: here http://community.mybb.com/thread-131891.html

Actually, use of dot and hyphen are used to create aliases in Gmail, but other domains may use different mechanisms. Just as some hosts treat the local portion as case insensitive while others treat it as case sensitive.
Reply
#9
Never heard of hyphens in Gmail.

The only solution I see is checking ./+ optionally if duplicate Emails are disallowed and a new setting for that is enabled. Except that, there's nothing we can do as I mentoned above.
Reply
#10
may be a plugin helps - eg. GMail Sanitizer (coded for MyBB 1.6.x)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)