#2968 closed defect (bug) (worksforme)
WP lets two different users register with same user name
Reported by: | RuddO | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | critical | Version: | 2.0.3 |
Component: | Administration | Keywords: | |
Focuses: | Cc: |
Description
Thiss can't possibly be happening! I haven't determined yet if this lets users log in with, say, full admin privileges, but today I awoke hungover to discover this (RFC822):
Return-Path: <apache@amauta2.propagation.net> Received: from amauta2.propagation.net (localhost [127.0.0.1]) by amauta2.propagation.net (8.13.7/8.13.4) with ESMTP id k6MAhgEC003481 for <rudd-o@rudd-o.com>; Sat, 22 Jul 2006 05:43:42 -0500 Received: (from apache@localhost) by amauta2.propagation.net (8.13.7/8.13.7/Submit) id k6MAhg5I003480; Sat, 22 Jul 2006 05:43:42 -0500 Date: Sat, 22 Jul 2006 05:43:42 -0500 Message-Id: <200607221043.k6MAhg5I003480@amauta2.propagation.net> To: rudd-o@rudd-o.com Subject: [Rudd-O] New User Registration MIME-Version: 1.0 From: wordpress@rudd-o.com Content-Type: text/plain; charset="utf-8" X-Virus-Scanned: ClamAV 0.88.3/1614/Fri Jul 21 15:27:38 2006 on amauta2.propagation.net X-Virus-Status: Clean X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on amauta2.propagation.net X-Spam-Level: X-Spam-Status: No, score=-5.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, NO_REAL_NAME autolearn=ham version=3.0.6 Status: O X-UID: 15194 Content-Length: 89 X-Keywords: X-Evolution-Source: imap://rudd-o@rudd-o.com/ New user registration on your blog Rudd-O: Username: Rudd-O E-mail: kanarxp@yahoo.gr
OMIGOD! Why? This shouldn't be possible at ALL!
Change History (3)
Note: See
TracTickets for help on using
tickets.
Followup:
When trying to do this myself:
ERROR: This username is already registered, please choose another one.
Which is fine. I'm now investigating the database.
(investigating... |/-\|/-\|/-\|/-\|/-\)
Now I found the cause.
"Rudd-O" is my user
" Rudd-O" is the newly registrated user
As you can see, although this doesn't represent a security violation per se, it's VERY EASY for users to use this kind of issue (I'm not calling it a bug yet, but I might be willing to, hehe) to produce social engineering attacks and the like.
Why isn't WP doing a trim() on the user name upon registration/login?
Please help me guys. I'll even vow to help you if you give me some pointers, the ponit being that I don't want to blindly modify one file and discover that the modifications I make cascade into several bugs later on.
More info:
wp-register.php: line 15/162 (9%), col 23/61 (37%), char 349/5741 (6%)
I guess sanitize user isn't sanitizing the user properly? Plus, I wouldn't just blindly trust whatever the user types in user_email, primarily because say a single space before or after could probably throw wrenches in the later machinery. I don't say "we should validate e-mails according to RFC XXX and YYY", but at least a trim and a removal of high bit characters wouldn't hurt, would it?