ASCII based account names, display name.

Posted: Thu Mar 09, 2006 9:19 pm

Now I'm not sure if this is the correct place to post this, but I'm sure someone will move it if it's not.

Anyways I've installed the latest RavenNuke distro and have notice it will no allow 'fancy' username (ie ASCII based ones). Now I know in previous 'normal' php-nuke version this was available and one later ones it cause session tab issue.

Now my questions is I'm looking to add a 'display name' field to the users table so people can still have their fancy names (they've grow accustom too). I know this will involve changing all the calls to the username to this 'new' field.

Now my security questions is. What kind of validation would I need to parse to the creation of this field, or can I just say limit it to max of say 10-15 character and thus not allow a person to put in any exploitable code. I would use the basic limit function of html and then check the length of the value before updating.

As it will be a display now and not session name this wont cause any other follow on effects?

Also I guess it's security related but why are ASCII based nicknames no longer allowed in php-nuke? What is the thought behind this?

Posted: Thu Mar 09, 2006 9:36 pm

You may want to look at this thread before going down this path:
[ Only registered users can see links on this board! Get registered or login! ]

You may be able to just expand the exact ASCII characters that you are wanting.

Posted: Thu Mar 09, 2006 9:45 pm

Ok, thx. Read that and it seems the consensis is that expanding the ASCII range is a security issue. Which I assume with a display name it wouldn't be the same security issue. Square brackets are among those characters desired but no limited too.

To avoid creating any security issue I figured a new field would help. Also as I asked and have seen what is the exact issue with those type of names?

Posted: Thu Mar 09, 2006 10:41 pm

Unfortunately, I am so far removed from the "script kiddies" that I cannot answer your question. Hopefully someone else out there can???

Posted: Fri Mar 10, 2006 4:53 am

I have a suggestion which might at least offer a sensible work around and as far as I can tell, poses no security issues as the table field data does not interact with anything else.
There is a hack for BBtoNuke forum called 'Custom User Title' which you can configure so that admins only can create a users 'custom title', the users can create their own 'cusom title' or there is a further option so that users can create their own custom title after they have made a pre determined number of forum posts.
Although this extra field will not appear in the users Your Account profile, it will show up in the forums and the forum profile.

It may be worth you installing it to see if it meets your needs without compromising anything.

Posted: Fri Mar 10, 2006 6:10 am

Thx montego, well I don't see how it's script kiddie stuff as you can't use say foreign characters like german (ie üßä) in account names (which I used to use). Anyways.

Thx Guardian I'll be sure look for that 'hack' and see if it can meet the needs of my users and myself. Can't hurt to see, may even give me an idea on how I can go about the change I'm thinking of.

Posted: Fri Mar 10, 2006 6:59 am

Rumbaar, I am playing the "odds". If it used to work and it does not now, either FB screwed up the later release or the code was patched for a reason.

By the way, you said this in your previous post:

Quote:

Read that and it seems the consensis is that expanding the ASCII range is a security issue

So, I am not the only one questioning it... Wink

Posted: Fri Mar 10, 2006 5:00 pm

montego wrote:

.. or the code was patched for a reason.

Yeah I was in part trying to find that reason, but it seems no-one is sure. This was also to help in what I should check for and filter out in the new field if I created it.

It's probably more of a code request question than a pure security question now.

Thx.