Restricting username characters? (SPOOFING ISSUE)

[Jamez345]

I want to restrict my forum users usernames to a-z and 0-9 - for the simple reason that I have a spoofing issue. This is caused (according to the member that did it) by using a "special" character to spoof users names like the administrators name and spam the forums. Can anyone help me with this?

[Jamez345]

Can anybody help me with this?

[flapjack]

I'm working on it, be patient

[flapjack]

try this: locate /Sources/Subs-members.php

find:

// No name?!  How can you register with no name?
   if (empty($regOptions['username']))
      $reg_errors[] = array('lang', 'need_username');

add after:

// Check if it's only a..z, A..Z, 0..9
   if ( preg_match("/[^-a-z-A-Z0-9_]/i", $regOptions['username']) )
   {
      $reg_errors[] = array('lang', 'need_username');
   }

user trying to register with characters other than ("0".."9", "a".."z", "A".."Z") will receive the same error as if he wouldn't put any name at all. you can add additional string to your language file and change it if you like.

let me know if it works


edit: one more thing, you can restrict characters in:
    * Administration Center » Registration » Set Reserved Names
but you will need to list all unwanted ones

[Jamez345]

Oh if anyone wants to know the spoofing issue is caused by a "ghost" character if anyone needs it to restrict it from being used I will provide it.

[flapjack]

did you try code provided?

[Jamez345]

Uhmm no sadly but the person that found the exploit said that using that other option you said and blocking the ghost character made it work. :s sorry for wasting your time

[iverSUN]

try this: locate /Sources/Subs-members.php

find:

// No name?!  How can you register with no name?
   if (empty($regOptions['username']))
      $reg_errors[] = array('lang', 'need_username');

add after:

// Check if it's only a..z, A..Z, 0..9
   if ( preg_match("/[^-a-z-A-Z0-9_]/i", $regOptions['username']) )
   {
      $reg_errors[] = array('lang', 'need_username');
   }

user trying to register with characters other than ("0".."9", "a".."z", "A".."Z") will receive the same error as if he wouldn't put any name at all. you can add additional string to your language file and change it if you like.

let me know if it works


edit: one more thing, you can restrict characters in:
    * Administration Center » Registration » Set Reserved Names
but you will need to list all unwanted ones

I've had a similar problem to this. This describes the issue: http://packetstormsecurity.com/files/124428/Simple-Machines-Forum-Username-Faking-Clickjacking.html

I want users to still be able to use spaces, underscores, hyphens, and periods -- what's the best way to allow those while prohibiting the use of ampersands, semicolons, plus signs, and pound signs/hash tags.

I've tried restricting just characters in the admin panel, and it doesn't seem to work.

[Black Tiger]

I would like that too, that they also can use spaces.

On vBulletin I used this one:

Code Select Expand

^[A-Z0-9_ -]+$
which included the use of minus and underscore characters as you can see. Seems this also allowed a-z as well as A-Z for some reason.
I don't know where the +$ is for, maybe space?

So I would like to know the correct implementation for SMF if possible, with only those characters, I don't need hypens or periods for them.

[iverSUN]

I solved my own problem.

Code Select Expand

// No name?!  How can you register with no name?
if (empty($regOptions['username']))
$reg_errors[] = array('lang', 'need_username');

// Check if it's only a..z, A..Z, 0..9
   if ( preg_match("/[^-a-z-A-Z0-9_ .]/i", $regOptions['username']) )
   {
      $reg_errors[] = array('lang', 'bad_username');
   }

[Black Tiger]

Is it safe to use it like this? Shouldn't the space be replaced by something else like   or %20 or something like that?

[Kindred]

Why! A username is not a URL or an HTML entity...

[Black Tiger]

I'm just asking. I'm not into code.

So if I use it like this:

Code Select Expand

if ( preg_match("/[^-a-z-A-Z0-9_ .]/i", $regOptions['username']) )
then only a-z, A-Z, 0-9, underscore, minus character (-) and dot are allowed? If yes, I can use that too.

[Kindred]

Thing is...  The spoofing issue described in that link was addressed years ago....

[Black Tiger]

Well in my case it's not the spoofing thing, I just want to have my users register with "normal" usernames and not all kind of characters or have usernames as their email addresses.