Bug Username change item can be exploited

[Jeremy]

I caught users on my forum exploiting the username change item so they can use it an infinite amount of times. What they do is click Configure, put in the name they want, and leave the page as it's loading. This changes their username, but the item isn't mark as configured, so it lets them do it again. I'm not sure if any other configurable items can be exploited like this.

Thanks!

 

[Fillip H.]

I don't believe I can do anything about this, after all we are talking a timing of 1-2 milliseconds if they somehow were able to stop the script after username change but before it got saved.

It is vitally important that the "yes this item has been configured" happens after the user name is changed, because the code that changes the user name also handles validation (e.g. username is taken, username is not banned, etc).

Otherwise, users who try to change their username to something that's taken will lose their item.

 

[Jeremy]

The thing is it's actually more like 4 - 5 seconds (or more?) for the full load time, which is why they can do it so many times and I was able to do it on my first try. Perhaps the root of the issue is that it's not fast enough?

 

[Fillip H.]

Do you have email on username change enabled in the settings? If so, that would be why, if your mail server is very very slow.

 

[Jeremy]

Do you have email on username change enabled in the settings? If so, that would be why, if your mail server is very very slow.

Where is that setting? I couldn't find it.

 

[Fillip H.]

General Settings -> (Pro) Enable Email On Username Change

 

[Jeremy]

Okay, that is in fact enabled.

It says "You can disable the sending of an email when someone changes another person's username with this setting." Does this mean it doesn't email if they changed their own? Because they are only changing their own usernames.

 

[Fillip H.]

It is true that it only happens when changing another person's username.

The next bit to check is the "Configure Notifications" setting. If a lot of people are receiving the PM about the item being configured, and those people have PM email notifications enabled, then that could also be a generator of slow-downs.

 

[Jeremy]

No emails being sent from that one either (the item isn't set up to PM anyone).

 

[Fillip H.]

The last thing I can think of is that you have some form of plugin that runs on any of the userdata_ hooks that could be affecting execution time.

Can you try disabling all other products, leaving only this one enabled, and see if that changes anything?

 

[Jeremy]

Here are all the userdata_ hooks under plugins (most are DBT).

Product : DragonByte Tech: Advanced Post Thanks / Like (Pro)
userdata_start
userdata_postsave
userdata_delete

Product : DragonByte Tech: vBAvatars (Pro)
userdata_start

Product : DragonByte Tech: vBCredits II Deluxe (Pro)
userdata_postsave
userdata_presave
userdata_delete

Product : DragonByte Tech: vBShop (Pro)
userdata_delete
userdata_start

Product : Skimlinks Plugin
userdata_start

Product : vBulletin Blog
userdata_start
userdata_delete
userdata_update_username

Does the last one have any significance since it's called update username?

I tried disabling products on a test forum, but couldn't really get conclusive results yet. I'm also wondering if it's related to general server slowness, if the server is just slow when they configured it. Earlier today it was loading for over a minute for me. But later it seemed almost instant and then I wasn't able to do it fast enough. But it does still seem like there must be something causing it because based on the transaction logs it looks like one person was able to do it several times in a row.

 

[Fillip H.]

I don't believe those should have a significance as except for Skimlinks I have all of those products enabled @ my test environment too.

If your server randomly makes you wait for a minute to load any given page, there's probably something seriously wrong with your server that you should hire someone like George Liu (eva2000 @ vb.com) to look at. His site is here: vbtechsupport.com

 

[Jeremy]

I was actually able to reproduce it while it loaded much faster. As soon I clicked Save, I closed the tab I was in. It changed my name, but I was still able to configure the item again. I can do this consistently so it doesn't seem to be related to how slow the forum is going at the time.

I can also reproduce it on my test forum, although it's hosted on the same server and has similar products installed.

 

[Fillip H.]

Are you able to replicate this on another server entirely?

 

[Jeremy]

Are you able to replicate this on another server entirely?

I don't currently have access to a test forum on another server. Does DBT have a public test forum I could try it on? (I think it used to?)

 

[Fillip H.]

Our XF demo board currently hasn't been updated in a while, I'll see about getting it upgraded soon and get back to you

 

[Jeremy]

Our XF demo board currently hasn't been updated in a while, I'll see about getting it upgraded soon and get back to you

Hey, just wanted to check up on this to see if you were able to update it. Also, what's the link to the board? And is there one for vB? Thanks.

 

[Fillip H.]

We don't have a vB demo board and the XF demo board generator requires a valid XF license, but if you have one you can request it from here: https://www.dragonbyte-tech.com/info/xfdemo/

 

[Jeremy]

I don't have a XF license and I'm just trying to find somewhere I can reproduce it to show that it can be done. I don't know that it would work with the XF version anyway. I take it vBShop has been removed from this forum (used to be here)?

 

[Fillip H.]

We slimmed down the amount of products we have running here in order to create a better experience for people who only come here for support.

Sorry