WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#6855 closed defect (bug) (invalid)

User Nickname duplication is possible (they are not unique)

Reported by: ffosterdd Owned by:
Milestone: Priority: normal
Severity: minor Version: 2.5.1
Component: Security Keywords:
Focuses: Cc:

Description

I have a forum where any user can register. I have noticed in my testing that if my admin has the nickname: "Stupidhead" (or any other nickname) that other users (at least as low as author) can make thier nickname also be "Stupidhead", and have it be displayed as such.

This allows users to masquerade as other users. I think this might be a security issue, depending on how you define security

I don't think this should be allowed... there should be a check before a nickname is set (or at least before a user can set his nickname to one already in use).

Thanks!

Change History (4)

#1 @Viper007Bond
12 years ago

  • Priority changed from high to normal
  • Severity changed from normal to minor

I'm tempted to say this is invalid, especially since this is a plugin (forum) issue, not a WordPress one. And even then, it should be using the username, not the nickname, if it wants something unique.

However, I guess there are cases where you want unique nicknames (post author, etc.). Then again, if you can trust someone enough to make posts on your blog, I assume you can trust them to not pretend to be someone else.

#2 @mrmist
12 years ago

-1 if forced, neutral as an option. Forcing uniqueness in display names could be as restrictive in some environments as it is desired in others.

#3 @matt
12 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#4 @jacobsantos
12 years ago

  • Keywords nickname unique duplication removed
  • Milestone 2.7 deleted
Note: See TracTickets for help on using tickets.