Illegal characters in nickname of forum members

[Sensei]

Hello!

 

I noticed that newly joined member

http://www.scienceforums.net/user/117635-n≡xt/

used some generally considered as illegal characters in his/her nickname.

 

It's potentially dangerous for database, and security, if code responsible for accepting nickname is allowing any characters in UTF..

 

Only nicknames with a-z,A-Z,_,-,0-9 should be allowed to be made IMHO.

 

Please notice we can't even write his/her name in reply, don't know what key press on keyboard to have these three horizontal lines (second char in nickname)..

 

He/she made it accidentally, but revealed potentially dangerous leakage of forum software.

 

Best Regards!

[swansont]

You can copy/paste. This is no different than someone showing up and typing in any other alphabet.

 

What exactly is "dangerous"?

[Sensei]

What exactly is "dangerous"?

Injection of code to execute in string passed to forum software as nickname (or any other parameter that is not properly checked prior putting in database, send by f.e. HTTP GET/POST methods).

 

f.e. if you have PHP & MySQL db,

which is not properly protected from injection,

somebody can send string like " ' ); [some code here]"

command is finished by apostrophe (or so), and then closing parenthesis, later come commands to execute and intercept the whole server for example...

 

Don't make this thread a lesson how to break-in some server..

 

https://en.wikipedia.org/wiki/Code_injection

Edited May 22, 2016 by Sensei

[timo]

What exactly is "dangerous"?

My guess is that Sensei thinks about dangers of SQL-injections or, more generally, the problem that a software may not be able to a) properly handle the input it gets and b) is also not able to handle problems that occur.

 

For example:

Assume your software takes a username USERNAME and issues the command to create that user in the database as

create_user("USERNAME")

 

Chosing the username dummy")delete_database()"create_user("youAreScrewed this would cause the following commands to be passed to the database

create_user("dummy")

delete_database()

create_user("youAreScrewed")

 

The forum software used by sfn is a commercial product used on many forums. I would be somewhat surprised if the developers of commercial software were unaware of how to develop software, though. I mean, there is even an xkcd comic about this (https://xkcd.com/327/). The question which characters to allow appears in all software development (and be it only for the documentation). So if unconventional characters are allowed I assume that this was on purpose.

 

EDIT: Guess I guessed correctly.

Edited May 22, 2016 by timo

[NEXT]

As for the naming of the my profile the key terms that were used to create my profile username is by using ( Alt-240 ) in combination.

 

However if it were to cause the issues noq brought up by both sensei and timo then I can see that it will create a problem later in the future as well.

 

Therefore I will change my UserName to something more database friendly.

 

Thank You

 

Scientifically Next :3

Edited May 22, 2016 by N≡XT

[Sensei]

I would be somewhat surprised if the developers of commercial software were unaware of how to develop software, though.

Tell this to Microsoft, Adobe, Apple, Google etc. etc.

sending frequently "critical vulnerability has been found, new patch for software/OS"..

[swansont]

 

f.e. if you have PHP & MySQL db,

which is not properly protected from injection,

 

But how do you know it is not properly protected?

[Strange]

https://xkcd.com/327/

[John Cuthber]

The reason that "odd" characters sometimes cause problems is that they are recognised as commands. I'm not really a programmer but I have't seen that character used in code so it' almost certainly not a command, and thus not a threat.

[timo]

Tell this to Microsoft, Adobe, Apple, Google etc. etc.

sending frequently "critical vulnerability has been found, new patch for software/OS"..

You have a point there. If fact, this forum software has, or at least has had, related security issues. Including some that seem surprisingly stupid from as far as I can tell from a glance. However, they are a bit "deeper" than invalid human user input, which I still think commercial software developers are aware of it being a potential problem.

 

EDIT: I hereby take back everything I said and argue for the opposite. Checking the software's forum there indeed was a case of someone who had a problem with special characters in usernames (in 2008). At least the reply was somewhat according to common folklore, saying that the underlying database was to blame for not being able to handle the input given by the forum software ( , and also http://dilbert.com/strip/2004-07-31)[alas, I can't re-find the thread I saw ...].

Edited May 23, 2016 by timo