Members getting around the ban

[Ride]

I wont allow hotmail/yahoo addresses on my forum.  Today I got a message from a member.  What do ya think?

Hi.
I found a bug in the forum. Thought you may be interested.
Anyway, if someone wants to create a new account, they can do so by using a free e-mail.
Here's how it works.

1) Create new user ID and enter a false e-mail address with a real domain [email protected].
2) Since you won't actually get the activation e-mail, go to the "Did you miss your activation email?"
    on the MtHigh Forum website and change your e-mail to a hotmail or yahoo account.
3) Go to hotmail/yahoo account and activate your new screen name.
4) Log in. You will see the message "You've been banned for having a free e-mail account.. blah 
  blah...blah."
5)Log out... then log back in.. now you can post messages.

Just though I'd let you know.

[Metho]

Haha, that's pretty funny. Good work to them for seeing that. I've already found and crudely (very crudely) solved the problem, (in about 45 seconds), so this'll get passed on to the dev's and should be taken care of quite soon.

Thanks much,

- Methonis

[[Unknown]]

 ! If you changed your email before activating, you might be able to get past a ban. (Register.php)

-[Unknown]

[Ride]

Will you be posting the fix here so I can get this corrected?

[[Unknown]]

Find this:

Code Select Expand

// Change their email address? (they probably tried a fake one first :P.)

Replace that whole block of code with:

Code Select Expand

// Change their email address? (they probably tried a fake one first :P.)
if (isset($_POST['new_email']) && isset($_REQUEST['passwd']) && md5_hmac($_REQUEST['passwd'], strtolower($row['memberName'])) == $row['passwd'])
{
if (preg_match('~^[0-9A-Za-z=_+\-/][0-9A-Za-z=_\'+\-/\.]+@[\w\-]+(\.[\w\-]+)*(\.[\w]{2,6})$~', stripslashes($_POST['new_email'])) == 0)
fatal_error(sprintf($txt[500], htmlspecialchars($_POST['new_email'])), false);

// Maybe they'll have a better email address for us this time?
if (!empty($_SESSION['ban']['cannot_register']['type']) && $_SESSION['ban']['cannot_register']['type'] == 'email_ban')
$_SESSION['ban']['cannot_register'] = array(
'is_banned' => false
);
if (!empty($_SESSION['ban']['full_ban']['type']) && $_SESSION['ban']['full_ban']['type'] == 'email_ban')
$_SESSION['ban']['full_ban'] = array(
'is_banned' => false
);

// Okay, boy, you banned?
$request = db_query("
SELECT restriction_type, reason
FROM {$db_prefix}banned
WHERE ban_type = 'email_ban'
AND '$_POST[new_email]' LIKE email_address
AND (restriction_type = 'cannot_register' OR restriction_type = 'full_ban')", __FILE__, __LINE__);
while ($row2 = mysql_fetch_assoc($request))
{
$_SESSION['ban'][$row2['restriction_type']] = array(
'is_banned' => true,
'reason' => empty($row2['reason']) ? '' : '<br /><br /><b>' . $txt['ban_reason'] . ':</b> ' . $row2['reason'],
'type' => 'email_ban'
);
}
mysql_free_result($request);

// Alright... seems that email is banned.  Punk?  Thought you could get through, eh?
if ($_SESSION['ban']['full_ban']['is_banned'] || $_SESSION['ban']['cannot_register']['is_banned'])
{
// Make a note of this punk.
db_query("
INSERT INTO {$db_prefix}log_banned
(ID_MEMBER, ip, email, logTime)
VALUES ($row[ID_MEMBER], '$user_info[ip]', '$_POST[new_email]', " . time() . ')', __FILE__, __LINE__);

// Wow, you're heavy-duty banned.... shucks to be you!
if ($_SESSION['ban']['full_ban']['is_banned'])
fatal_error(sprintf($txt[430], $txt[28]) . $_SESSION['ban']['full_ban']['reason']);

// Probably just the email host is blocked..
if ($_SESSION['ban']['cannot_register']['is_banned'])
fatal_error($txt['ban_register_prohibited'] . '!' . $_SESSION['ban']['cannot_register']['reason']);
}

// Ummm... don't even dare try to take someone else's email!!
$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}members
WHERE emailAddress = '$_POST[new_email]'
LIMIT 1", __FILE__, __LINE__);
if (mysql_num_rows($request) != 0)
fatal_error(sprintf($txt[730], htmlspecialchars($_POST['new_email'])), false);
mysql_free_result($request);

updateMemberData($row['ID_MEMBER'], array('emailAddress' => "'$_POST[new_email]'"));
$row['emailAddress'] = $_POST['new_email'];

$email_change = true;
}

-[Unknown]

[nil]

I love it!

[Ride]

Thanks!