$ Dollar sign username security problem ?

hartiberlin · October 28, 2012, 01:59:30 PM

Hi,

I just saw, that in my SMF 2.02 / PortaMX 1.51 forum
there is a username, that has just the
$
sign ( dollar sign) as the username and when I click on there
it takes me to my useraccount as the forum admin
although it has a different email adress and is also stated as a NEWBIE membergroup level.....

So is it a hacker that has the same admin permssion as me as the admin of the forum ??

Many thanks for the help.

Regards, Stefan.

Storman™ · October 28, 2012, 02:28:53 PM

Quotesign ( dollar sign) as the username and when I click on there
it takes me to my useraccount as the forum admin

If you click on it whilst logged in then it should take you to that account. If the account should not have Admin privledges then I'd be very concerned.

Immediately change the Primary membership group of that user to "no primary membergroup" and amend their password and email address. Make a note of the email address in case you need to revert it back.

Once you done that you can start investigating as it does sound slightly fishy...

From what you've said when you click on it does it go to YOUR account ??

hartiberlin · October 28, 2012, 02:32:11 PM

When I am logged in as the admin and click on this $ sign username,
I am getting to my own admin account with my email Adress !

That is so strange !

But under users it is displayed as Newbie !

Hmm....

Storman™ · October 28, 2012, 02:39:06 PM

QuoteBut under users it is displayed as Newbie !

Well it will be a Newbie is they have few posts.

Send me a linky by pm if you wish - happy to peep at this one as it intrigues me

Read this before you do that though:

A reminder about ftp/admin passwords

Colin · October 28, 2012, 02:39:29 PM

Quote from: hartiberlin on October 28, 2012, 02:32:11 PM
When I am logged in as the admin and click on this $ sign username,
I am getting to my own admin account with my email Adress !

That is so strange !

But under users it is displayed as Newbie !

Hmm....

Are you sure it is your own account or a duplicate with similar details?

hartiberlin · October 28, 2012, 02:46:43 PM

Well, I just realized it is related to the SEF setting on PortaMX 1.51.

Somehow the $ sign
is not converted to
/profile/$/

but only to
/profile/

and so it takes me just to my own profile...

When I disable the SEF setting in PortaMX it takes me correctly to his
profile like:
/profile/$/

I now deleted this user as he also only had 1 unimportant posting....

Maybe under restricted usernames I can now put
the $ sign now as a single letter
or does that break anything ??

Storman™ · October 28, 2012, 02:50:06 PM

Interesting, one for the PortaMX authors then

hartiberlin · October 29, 2012, 11:44:19 AM

Why does SMF support usernames with single characters at all ??

Is there a fix for this ??

Can I just put $

into the rteserved usernames ?

Or better

$*

Will the star work for all letters behind it ?

Many thanks.

Kindred · October 29, 2012, 11:55:30 AM

no... AFAIK, the SMF restricted usernames is an exact match only.... there is no option for wildcards.

News:

$ Dollar sign username security problem ?