Posted on: 08/20/03 05:59pm
By: josheli
It\'s not that big of a deal, but it seems like a bug. It is possible to register as a new user without a username. I just did it on this site, got an email with a password, and of course can\'t login because I don\'t have a username. But now your database has a few extra records. There needs to be a check added in users.php, createuser(). something like:
if(COM_isEmail($email)) && (isset($username)) {
Re:Create account without username
Posted on: 08/21/03 04:07am
By: Robin
Further to this, you can actually log in (I did).
When I tried to log in using just a password I was rejected, then I tried to input a space in login field and tadam I was suddenly logged. Strange hmmm.
Does it mean any security issues?
Re:Create account without username
Posted on: 08/21/03 10:58am
By: josheli
i tried that too, using a space as username to login, but it didn\'t work.
i think it\'s more of a headache than a security problem, and easily fixed.
one possible security problem i can think of is that someone could make a script to bombard you with fake registrations, filling your database with dummy users, and effectively employing a DOS attack.
of course, this can be done even if an empy username wasn\'t allowed, as long as your site accepts instant registrations.