Typically spambots sign up accounts, leave a website in the user profile, and never make a post.
Strangely, the spambots have now found a way to hide the website.
For example:
http://www.societyofrobots.com/robotforum/index.php?action=profile;u=7540
You can't see a website, at least until you look at the source code:
<td><b>Website: </b></td>
<td><a href="http://www.ro-bot.de" target="_blank"></a></td>
Searching for users with zero posts that have a website brings up this user.
I'm using SMF 1.1.11.
(I'll probably delete the user in a few weeks)
Hi, I don't think this is a bug. If the website name is omitted no warning will be given and it will display as such.
If that user were to make a post, then the website icon will appear but nothing when you hover over it. The behavour is the same for 2.0. Except that in the profile, the icon is shown now rather than a link.
Interesting. It's not clickable because there's no text, but it still shows to search engines, etc.
All that's happened is that they've not added any text to the 'website title' area in their profile, but the link is still generated. 2.0 RC3 does the same thing.
To work around it, modify this part of Load.php.
while ($row = mysql_fetch_assoc($request))
{
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}
Replace it with:
while ($row = mysql_fetch_assoc($request))
{
if (isset($row['websiteUrl']) && (empty($row['websiteTitle']) || empty($row['websiteUrl'])))
{
$row['websiteUrl'] = '';
$row['websiteTitle'] = '';
}
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}
The equivalent code for 2.0 is:
while ($row = $smcFunc['db_fetch_assoc']($request))
{
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}
while ($row = $smcFunc['db_fetch_assoc']($request))
{
if (isset($row['website_url']) && (empty($row['website_title']) || empty($row['website_url'])))
{
$row['website_url'] = '';
$row['website_title'] = '';
}
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}
It isn't a security vulnerability but it IS an unexpected negative side effect.
Will this fix be included in future code versions?
(I assume so, but just in case)
It may be, it's up to the devs. It isn't a *security* issue so I don't see it being back ported to 1.1.x though.
Well, I just meant for future versions.
The existence of this bug encourages spambot accounts, but otherwise, yea, not a security issue.
I'll wait and see. Thanks!
If it is changed I see it only being changed in 2.0.