Previous Thread
Next Thread
Print Thread
Hop To
Display Name Spoofing #206399 02/14/2008 11:23 PM
Joined: Nov 2004
Posts: 173
luket Offline OP
enthusiast
OP Offline
enthusiast
Joined: Nov 2004
Posts: 173
Please uppercase names and remove whitespace before checking to see if there is a display name collision.

I’m having trouble with a little rascal spoofing the other posters on my board by simply adding two spaces to the name instead of one.

Toast Brad

Toast Brad

The second one is the spoof, and because of the font, is very hard to spot.
Please remove all whitespace before comparing names .. please :\





Member since November 2004
Gold Member since Feb 2008
Re: Display Name Spoofing [Re: luket] #206415 02/15/2008 1:35 AM
Joined: Jun 2006
Posts: 15,860
Likes: 1
Gizmo Offline
UBB.threads Developer
Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 15,860
Likes: 1
actually, the browser ignores double spaces (in fact, you could put a hundred, it'll only recignise one).


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: Display Name Spoofing [Re: Gizmo] #206421 02/15/2008 3:45 AM
Joined: Aug 2006
Posts: 1,640
jgeoff Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Aug 2006
Posts: 1,640

I have NO idea about this particular issue, but in the end... Browsers do display what scripts pump out, consistently... but that doesn't mean scripts pump out what browsers should be displaying -- so it's a legit concern to look into wink



GangsterBB.NET (Ver. 7.6.1.1)
2007 Content Rulez Contest - Hon Mention
UBB.classic 6.7.2 - RIP
Browsers: Chrome, Firefox, & Safari (iPhone); No IE, ever!
Re: Display Name Spoofing [Re: jgeoff] #206427 02/15/2008 6:41 AM
Joined: Jun 2006
Posts: 15,860
Likes: 1
Gizmo Offline
UBB.threads Developer
Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 15,860
Likes: 1
Well, the script is pumping out what the user inputs; it's just that the web browser ignores the additional spaces...

As a test, 1 spaced:
Gizmo Is Cool

As a test, 10 spaces:
Gizmo Is Cool

Now, do a quick quote, it will show that I did indeed put 10 spaces, and Threads did indeed store 10 spaces. Thus, a browser issue and not really a threads "security" risk at all... Though I'm not sure how a check would work too well as items are not stored in the db without spaces; I suppose you could remove the space and md5 the value and store that md5 hash in the db and compare against that...


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: Display Name Spoofing [Re: Gizmo] #206444 02/15/2008 9:51 AM
Joined: Jun 2006
Posts: 215
smallufo Offline
enthusiast
Offline
enthusiast
Joined: Jun 2006
Posts: 215
I suggest surrounding a PRE tag may solve this problem.



English is not my native language.
I try my best to express my thought precisely.
I hope you understand what I mean.
If any misunderstanding results from culture gaps , I apologize first.
Re: Display Name Spoofing [Re: smallufo] #206446 02/15/2008 10:55 AM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
If you turn off special characters in display names in the control panel, then it prevents username spoofing. Strips out everything that isn't a alphanumeric characters, allows for _ however.

Re: Display Name Spoofing [Re: Rick] #206457 02/15/2008 1:07 PM
Joined: Nov 2004
Posts: 173
luket Offline OP
enthusiast
OP Offline
enthusiast
Joined: Nov 2004
Posts: 173
Apparently I’m unable to explain the simplest of bugs.

Rick, please approve my Display name change and you will see that I am now “David Dreezer”

The board does not check to see if there are two spaces in the display name, this happened to me yesterday.

I currently have Admin Approval for display name changes to stop this exploit, but it does exist and is an easy exploit; and easily fixed.

If you guys did not have Admin approval for for display name changes turned on, I would be showing up as “David Dreezer” at this very moment.

And if you still don’t believe me, I’ll give Rick admin access to my boards so he can see that I banned: “Toast Brad” (2 spaces) yesterday in order to protect the real “Toast Brad”



Member since November 2004
Gold Member since Feb 2008
Re: Display Name Spoofing [Re: luket] #206458 02/15/2008 1:12 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
I understand the problem. The option under Registration Settings that I spoke of is how this is stopped:

Allow Special Characters in Display Names?

If that isn't checked, then it only allows for alphanumeric characters and the _ character.

It's more than just the need to strip out white spaces, there are several other things that need to be stripped out to prevent this. Some sites do not want that though, that's why it's an optional setting.

Re: Display Name Spoofing [Re: Rick] #206479 02/15/2008 4:38 PM
Joined: Nov 2004
Posts: 173
luket Offline OP
enthusiast
OP Offline
enthusiast
Joined: Nov 2004
Posts: 173
oh, hmm..

It's a role-play community and probably 50% of my posters use spaces in their names:

Sir Simple
Mrs. Ant
Toast Brad
Flannery Flynn

Even though my simple-minded approach of removing spaces before the compare doesn't solve all known exploits, it does raise the bar a bit and make the exploit a fare bit more obvious.

If I understand your reservation, is that the system can still be undermined by say substituting an 'á' for an 'a'. Am I correct?

If this is the case: in the compare routine, perform the following logic.

Create a temporary Source string of the following form:
Foreach character in string that is not a-z or A-Z or 0-9, convert the character to a '#' character.


Create a temporary Destination string of the following form:
Foreach character in string that is not a-z or A-Z or 0-9, convert the character to a '#' character.

Now do the comparison to look for Display Name Spoofing smile

This test will work correctly virtually all the time.

The obvious optimization would be to store a hash of the normalized string (as described above) to speed the duplicate display name check.


I understand the answer is "turn off special characters" .. but I think we can all agree this is ugly and user unfriendly; especially for a role-play community where identity is everything.

Please consider my solution. (I'll call phone in a pizza order for you to your neighborhood pizza parlor.) wink


Member since November 2004
Gold Member since Feb 2008
Re: Display Name Spoofing [Re: luket] #206640 02/18/2008 9:20 AM
Joined: Aug 2006
Posts: 1,356
Yarpâ„¢ Offline
veteran
Offline
veteran
Joined: Aug 2006
Posts: 1,356
The option is called "Dissalow special characters", so imho it should be used as a choice whether or not you want to have special characters in display names or not.

I don't think you turn of just any special char because you want extra security in spoofing display names.

My real suggestion would be to warn/ban users exploiting this. You just can't solve everything with technical solutions. Saying "it is not allowed" and punishing those who cross the line works for a lot if issues.


[Linked Image from siemons.org]

Link Copied to Clipboard
Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Subscriptions Question
by Ruben - 01/14/2020 12:11 PM
Page won't load after 7.7.3 Update
by Jim0421 - 01/08/2020 11:11 AM
Ubb 7.7.3 winkey emoji shortcut issue
by Ruben - 01/07/2020 4:04 PM
testing winkey emoji shortcut
by Ruben - 01/06/2020 2:36 PM
Very strange problem
by Baldeagle - 01/05/2020 1:22 PM
Who's Online Now
0 members (), 71 guests, and 381 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Snapshot build 20200106)