Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 6 years ago

#2968 closed defect (bug) (worksforme)

WP lets two different users register with same user name

Reported by: RuddO Owned by:
Milestone: Priority: high
Severity: critical Version: 2.0.3
Component: Administration Keywords:
Focuses: Cc:


Thiss can't possibly be happening! I haven't determined yet if this lets users log in with, say, full admin privileges, but today I awoke hungover to discover this (RFC822):

Return-Path: <apache@amauta2.propagation.net>
Received: from amauta2.propagation.net (localhost []) by
        amauta2.propagation.net (8.13.7/8.13.4) with ESMTP id k6MAhgEC003481 for
        <rudd-o@rudd-o.com>; Sat, 22 Jul 2006 05:43:42 -0500
Received: (from apache@localhost) by amauta2.propagation.net
        (8.13.7/8.13.7/Submit) id k6MAhg5I003480; Sat, 22 Jul 2006 05:43:42 -0500
Date: Sat, 22 Jul 2006 05:43:42 -0500
Message-Id: <200607221043.k6MAhg5I003480@amauta2.propagation.net>
To: rudd-o@rudd-o.com
Subject: [Rudd-O] New User Registration
MIME-Version: 1.0
From: wordpress@rudd-o.com
Content-Type: text/plain; charset="utf-8"
X-Virus-Scanned: ClamAV 0.88.3/1614/Fri Jul 21 15:27:38 2006 on
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on 
X-Spam-Status: No, score=-5.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
        NO_REAL_NAME autolearn=ham version=3.0.6
Status: O
X-UID: 15194
Content-Length: 89
X-Evolution-Source: imap://rudd-o@rudd-o.com/

New user registration on your blog Rudd-O:

Username:  Rudd-O

E-mail: kanarxp@yahoo.gr

OMIGOD! Why? This shouldn't be possible at ALL!

Change History (3)

#1 @RuddO
9 years ago


When trying to do this myself:

ERROR: This username is already registered, please choose another one.

Which is fine. I'm now investigating the database.

(investigating... |/-\|/-\|/-\|/-\|/-\)

Now I found the cause.

"Rudd-O" is my user
" Rudd-O" is the newly registrated user

As you can see, although this doesn't represent a security violation per se, it's VERY EASY for users to use this kind of issue (I'm not calling it a bug yet, but I might be willing to, hehe) to produce social engineering attacks and the like.

Why isn't WP doing a trim() on the user name upon registration/login?

Please help me guys. I'll even vow to help you if you give me some pointers, the ponit being that I don't want to blindly modify one file and discover that the modifications I make cascade into several bugs later on.

More info:

wp-register.php: line 15/162 (9%), col 23/61 (37%), char 349/5741 (6%)

$user_login = sanitize_user( $_POSTuser_login? );
$user_email = $_POSTuser_email?;

I guess sanitize user isn't sanitizing the user properly? Plus, I wouldn't just blindly trust whatever the user types in user_email, primarily because say a single space before or after could probably throw wrenches in the later machinery. I don't say "we should validate e-mails according to RFC XXX and YYY", but at least a trim and a removal of high bit characters wouldn't hurt, would it?

#2 @darkfate
9 years ago

Well, the sanitize_user function allows for a space, so it is possible to have the space in front since it's not doing trim.

	$username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username);
	$username = preg_replace('/&.+?;/', '', $username); // Kill entities

#3 @foolswisdom
9 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Closing bug as Works for me.

ENV: 2.1-alpha3 (svn 4194)

Can't reproduce bug, guessing that it has been fixed previously.

Creating user " Rudd-O" fails b/c considered the same as user "Rudd-O".

Note: See TracTickets for help on using tickets.