Geeklog Forums

It\'s not that big of a deal, but it seems like a bug. It is possible to register as a new user without a username. I just did it on this site, got an email with a password, and of course can\'t login because I don\'t have a username. But now your database has a few extra records. There needs to be a check added in users.php, createuser(). something like: if(COM_isEmail($email)) && (isset($username)) {

Further to this, you can actually log in (I did). When I tried to log in using just a password I was rejected, then I tried to input a space in login field and tadam I was suddenly logged. Strange hmmm. Does it mean any security issues?

---

Geeklog Polish Support Team

i tried that too, using a space as username to login, but it didn\'t work. i think it\'s more of a headache than a security problem, and easily fixed. one possible security problem i can think of is that someone could make a script to bombard you with fake registrations, filling your database with dummy users, and effectively employing a DOS attack. of course, this can be done even if an empy username wasn\'t allowed, as long as your site accepts instant registrations.