Jump to the post that solved this thread.
Solved: 3 Years, 6 Months ago New user registered without username
#1
Solved: 3 Years, 6 Months ago
So I help a friend run a forum and today a new user registered but somehow managed to do so without setting a username.

We have our Login and Registration settings set at a minimum username length of 3 and max of 16.

Not sure how this was done, the user also made a post with nothing in the message box as well. Doesn't seem like much of a threat now, but hopefully someone here can figure out how this is possible??
Reply
#2
Solved: 3 Years, 6 Months ago
He has used invisible characters.
In Windows they are not visible (sometimes) and often shows up as blank square boxes.

Look at this thread:
https://community.mybb.com/thread-218193.html
Reply
#3
Solved: 3 Years, 6 Months ago
Thank you, I since realized after pasting the post into Notepad++.
Reply
#4
Solved: 3 Years, 6 Months ago
(2018-07-22, 12:19 AM)0xB9 Wrote: Thank you, I since realized after pasting the post into Notepad++.

Good catch!

I'm curious to know what he/she posted in the message box.  Huh
I'm Serpius and You're Not    ¯\_(ツ)_/¯
DEAF GOLF
Reply
#5
Solved: 3 Years, 6 Months ago
(2018-07-22, 12:13 AM)effone Wrote: He has used invisible characters.
In Windows they are not visible (sometimes) and often shows up as blank square boxes.

Look at this thread:
https://community.mybb.com/thread-218193.html

Is this what this user used on my website? Alt-Codes?

How can this be prevented in the future? Change in the core code or a plugin?
I'm Serpius and You're Not    ¯\_(ツ)_/¯
DEAF GOLF
Reply
#6
Solved: 3 Years, 6 Months ago
-- Bump! --

I still like to find a way to prevent this from happening again in my website.

Any ideas?
I'm Serpius and You're Not    ¯\_(ツ)_/¯
DEAF GOLF
Reply
#7
Solved: 3 Years, 6 Months ago
You can ban usernames containing these characters.
Reply
#8
Solved: 3 Years, 6 Months ago
I would recommend creating a whitelist instead, to only allow alpha-numeric characters. You can get characters such as 'e' from the Greek alphabet which although they look similar, have different HTML entity values and as such can be used to impersonate other users on the forum.
Reply
#9
Solved: 3 Years, 6 Months ago
(2018-07-29, 08:06 AM)linguist Wrote: You can ban usernames containing these characters.

I know I can do that, but... 

How do you ban invisible usernames? 

How do I set that up in my AdminCP? What would I input in that Username box?

[Image: b019866a47e0f77ca5714c8a94521d7f.png]
I'm Serpius and You're Not    ¯\_(ツ)_/¯
DEAF GOLF
Reply
#10
Solved: 3 Years, 6 Months ago
You linked the solution yourself: enter the alt-codes for the nonbreaking spaces and a wildcard on either side. Other than that, copy the "crazy" characters from the strange poll thread linked in post #2.

If you don't want to use a whitelist as suggested in post #8, but want to be safe from Unicode exploits, you need to exclude Greek and Cyrillic characters that look like Latin letters. Copy them from here, if you like:
Greek: ΑΒΕΖΗΙΚΜΝΟοΡρΤΧϹϺϲ
Cyrillic: ЅІЈАВЕКМНОРСТХаекморсхѕіјһӀӏӒӓӔӕӦӧԁԌԚԛԜԝ
Spaces:           ​‌‍‎‏

‪‫‬‭‮ ⁠⁡⁢⁣⁤ 
          ​‌‍‎‏

‪‫‬‭‮ ⁠⁡⁢⁣⁤ 
Reply
Jump to the post that solved this thread.


Forum Jump:


Users browsing this thread: 1 Guest(s)