Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Rumbaar
Regular
Regular


Joined: Apr 16, 2004
Posts: 78
Location: Melbourne, Australia

PostPosted: Thu Mar 09, 2006 9:19 pm Reply with quote

Now I'm not sure if this is the correct place to post this, but I'm sure someone will move it if it's not.

Anyways I've installed the latest RavenNuke distro and have notice it will no allow 'fancy' username (ie ASCII based ones). Now I know in previous 'normal' php-nuke version this was available and one later ones it cause session tab issue.

Now my questions is I'm looking to add a 'display name' field to the users table so people can still have their fancy names (they've grow accustom too). I know this will involve changing all the calls to the username to this 'new' field.

Now my security questions is. What kind of validation would I need to parse to the creation of this field, or can I just say limit it to max of say 10-15 character and thus not allow a person to put in any exploitable code. I would use the basic limit function of html and then check the length of the value before updating.

As it will be a display now and not session name this wont cause any other follow on effects?

Also I guess it's security related but why are ASCII based nicknames no longer allowed in php-nuke? What is the thought behind this?

_________________
Victim's aren't we all! 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Thu Mar 09, 2006 9:36 pm Reply with quote

You may want to look at this thread before going down this path:
Only registered users can see links on this board! Get registered or login!

You may be able to just expand the exact ASCII characters that you are wanting.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Rumbaar
PostPosted: Thu Mar 09, 2006 9:45 pm Reply with quote

Ok, thx. Read that and it seems the consensis is that expanding the ASCII range is a security issue. Which I assume with a display name it wouldn't be the same security issue. Square brackets are among those characters desired but no limited too.

To avoid creating any security issue I figured a new field would help. Also as I asked and have seen what is the exact issue with those type of names?
 
montego
PostPosted: Thu Mar 09, 2006 10:41 pm Reply with quote

Unfortunately, I am so far removed from the "script kiddies" that I cannot answer your question. Hopefully someone else out there can???
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Fri Mar 10, 2006 4:53 am Reply with quote

I have a suggestion which might at least offer a sensible work around and as far as I can tell, poses no security issues as the table field data does not interact with anything else.
There is a hack for BBtoNuke forum called 'Custom User Title' which you can configure so that admins only can create a users 'custom title', the users can create their own 'cusom title' or there is a further option so that users can create their own custom title after they have made a pre determined number of forum posts.
Although this extra field will not appear in the users Your Account profile, it will show up in the forums and the forum profile.

It may be worth you installing it to see if it meets your needs without compromising anything.
 
View user's profile Send private message Send e-mail
Rumbaar
PostPosted: Fri Mar 10, 2006 6:10 am Reply with quote

Thx montego, well I don't see how it's script kiddie stuff as you can't use say foreign characters like german (ie üßä) in account names (which I used to use). Anyways.

Thx Guardian I'll be sure look for that 'hack' and see if it can meet the needs of my users and myself. Can't hurt to see, may even give me an idea on how I can go about the change I'm thinking of.
 
montego
PostPosted: Fri Mar 10, 2006 6:59 am Reply with quote

Rumbaar, I am playing the "odds". If it used to work and it does not now, either FB screwed up the later release or the code was patched for a reason.

By the way, you said this in your previous post:

Quote:

Read that and it seems the consensis is that expanding the ASCII range is a security issue


So, I am not the only one questioning it... Wink
 
Rumbaar
PostPosted: Fri Mar 10, 2006 5:00 pm Reply with quote

montego wrote:
.. or the code was patched for a reason.

Yeah I was in part trying to find that reason, but it seems no-one is sure. This was also to help in what I should check for and filter out in the new field if I created it.

It's probably more of a code request question than a pure security question now.

Thx.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©