Advisory: XMB Forum User Impersonation - 2006-04-15
Affected Versions:
- XMB 1.9.5 Nexus Final and prior
- XMB 1.10.0 snapshot and earlier
Severity:
This isn't really a huge issue - it doesn't compromise any accounts nor the server in any way - it's just a minor annoyance if your users aren't the most observant.
Description:
It is possible to register a new account that appears to have an identical username to an existing account and make posts, "U2U" messages, and other actions from this account. The new account will generally have a different account creation date, and a different rank, so observant users won't fall for it. Regardless though, there's a fault in that XMB is (arguably incorrectly) blacklisting what it considers bad characters, rather than whitelisting acceptable characters which would be the prefered solution.
To Reproduce:
- On a Windows machine - if using another you'll need to figure out how to insert ASCII characters by their decimal code - click registration link, and fill out form to satisfy any/all CAPTCHA requirements and others such as email.
- In the username box, enter the username you wish to impersonate.
- Move before, after, or anywhere in between the username, hold "alt" key and tap 0173. This inserts a soft hyphen character, which is not visible in either MSIE or Mozilla (latest versions), I haven't checked other browsers.
- Complete registration as normal, and set as much of the profile stuff (avatar, et cetera) to match original user.
- Post inflamatory remarks.
Band-aid Fix:
Open the file "member.php" and do a search for the term "$needle". In the array of illegal characters, add a new entry for the soft-hyphen character.
Preferred Solution:
What I'd actually recommend doing is replacing the entire "find = array()" section and what follows with something like this:
if (!preg_match('/^[0-9a-zA-Z_!.?-]+$/', $username))
{
error($lang['restricted']);
} In fact, the maximum/minimum length usernames could also be rolled into this regular expression as well, cleaning up the code (well, if you consider regexes clean) considerably.
It must be stressed that I don't believe the browsers are in error here: the specifications are pretty vague about whether the character is a hint or a character, and the fact is that whitelisting allowable characters is always a better solution than blacklisting those considered bad.
Unified Diff:
--- member_old.php Sat Mar 25 20:35:37 2006
+++ member.php Sun Apr 16 04:04:56 2006
@@ -417,13 +417,17 @@
}
} else {
- $find = array('<', '>', '|', '"', '[', ']', '\\', ',', '@', '\'', ' ');
+ if (!preg_match('/^[0-9a-zA-Z_!.?-]+$/', $username))
+ {
+ error($lang['restricted']);
+ }
+/* $find = array('<', '>', '|', '"', '[', ']', '\\', ',', '@', '\'', ' ');
foreach ($find as $needle) {
if (false !== strpos($username, $needle)) {
error($lang['restricted']);
}
}
+*/
if(strlen($username) < 3 || strlen($username) > 32) {
error($lang['username_length_invalid']);
} Vendor Response:
No response from vendor.
Timeline:
- 2006-03-14: Vendor notified by email
- 2006-03-31: Vendor notified on their support forum.
- 2006-04-15: Public Disclosure.
Credits:
- Jamie Fraser, Hungry Hacker Labs
This advisory is also available in plain text.