Jump to content

Illegal characters in nickname of forum members

Sensei
 Share

Recommended Posts

Sensei

Sensei

Posted
Posted

Hello!

 

I noticed that newly joined member

http://www.scienceforums.net/user/117635-n≡xt/

used some generally considered as illegal characters in his/her nickname.

 

It's potentially dangerous for database, and security, if code responsible for accepting nickname is allowing any characters in UTF..

 

Only nicknames with a-z,A-Z,_,-,0-9 should be allowed to be made IMHO.

 

Please notice we can't even write his/her name in reply, don't know what key press on keyboard to have these three horizontal lines (second char in nickname)..

 

He/she made it accidentally, but revealed potentially dangerous leakage of forum software.

 

Best Regards!

swansont

swansont

Posted
Posted

You can copy/paste. This is no different than someone showing up and typing in any other alphabet.

 

What exactly is "dangerous"?

Sensei

Sensei

Posted
  • Author
Posted (edited)

What exactly is "dangerous"?

Injection of code to execute in string passed to forum software as nickname (or any other parameter that is not properly checked prior putting in database, send by f.e. HTTP GET/POST methods).

 

f.e. if you have PHP & MySQL db,

which is not properly protected from injection,

somebody can send string like " ' ); [some code here]"

command is finished by apostrophe (or so), and then closing parenthesis, later come commands to execute and intercept the whole server for example...

 

Don't make this thread a lesson how to break-in some server..

 

https://en.wikipedia.org/wiki/Code_injection

Edited by Sensei
timo

timo

Posted
Posted (edited)

What exactly is "dangerous"?

My guess is that Sensei thinks about dangers of SQL-injections or, more generally, the problem that a software may not be able to a) properly handle the input it gets and b) is also not able to handle problems that occur.

 

For example:

Assume your software takes a username USERNAME and issues the command to create that user in the database as

create_user("USERNAME")

 

Chosing the username dummy")delete_database()"create_user("youAreScrewed this would cause the following commands to be passed to the database

create_user("dummy")

delete_database()

create_user("youAreScrewed")

 

The forum software used by sfn is a commercial product used on many forums. I would be somewhat surprised if the developers of commercial software were unaware of how to develop software, though. I mean, there is even an xkcd comic about this (https://xkcd.com/327/). The question which characters to allow appears in all software development (and be it only for the documentation). So if unconventional characters are allowed I assume that this was on purpose.

 

EDIT: Guess I guessed correctly.

Edited by timo
1
NEXT

NEXT

Posted
Posted (edited)

As for the naming of the my profile the key terms that were used to create my profile username is by using ( Alt-240 ) in combination.

 

However if it were to cause the issues noq brought up by both sensei and timo then I can see that it will create a problem later in the future as well.

 

Therefore I will change my UserName to something more database friendly.

 

Thank You

 

Scientifically Next :3

Edited by N≡XT
1
Sensei

Sensei

Posted
  • Author
Posted

I would be somewhat surprised if the developers of commercial software were unaware of how to develop software, though.

Tell this to Microsoft, Adobe, Apple, Google etc. etc.

sending frequently "critical vulnerability has been found, new patch for software/OS".. :)

swansont

swansont

Posted
Posted

 

f.e. if you have PHP & MySQL db,

which is not properly protected from injection,

 

But how do you know it is not properly protected?

John Cuthber

John Cuthber

Posted
Posted

The reason that "odd" characters sometimes cause problems is that they are recognised as commands. I'm not really a programmer but I have't seen that character used in code so it' almost certainly not a command, and thus not a threat.

timo

timo

Posted
Posted (edited)

Tell this to Microsoft, Adobe, Apple, Google etc. etc.

sending frequently "critical vulnerability has been found, new patch for software/OS".. :)

You have a point there. If fact, this forum software has, or at least has had, related security issues. Including some that seem surprisingly stupid from as far as I can tell from a glance. However, they are a bit "deeper" than invalid human user input, which I still think commercial software developers are aware of it being a potential problem.

 

EDIT: I hereby take back everything I said and argue for the opposite. Checking the software's forum there indeed was a case of someone who had a problem with special characters in usernames (in 2008). At least the reply was somewhat according to common folklore, saying that the underlying database was to blame for not being able to handle the input given by the forum software ( :blink: , and also http://dilbert.com/strip/2004-07-31)[alas, I can't re-find the thread I saw ...].

Edited by timo

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.