SERIOUS ISSUE with the site - vulnerability found
-
I think there need to have some sort of captcha or something to prevent replay attack on the registration page[^] . I'm able to register at least 5 users [start with Soyabean] using Fiddler, just modify my username then submit. I'm sure someone out there already been exploring this vulnerability by registering many accounts. Please look into it. Some Example: Are these username generated by the system[^] @Chris-Maunder @Sean-Ewington
Bryian Tan
-
I think there need to have some sort of captcha or something to prevent replay attack on the registration page[^] . I'm able to register at least 5 users [start with Soyabean] using Fiddler, just modify my username then submit. I'm sure someone out there already been exploring this vulnerability by registering many accounts. Please look into it. Some Example: Are these username generated by the system[^] @Chris-Maunder @Sean-Ewington
Bryian Tan
There is a hyphen in Chris-Maunder if you want to attract his attention. But ... it shouldn't be necessary here, I think he gets automatically notified of any new threads here; certainly, he checks here regularly.
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
-
There is a hyphen in Chris-Maunder if you want to attract his attention. But ... it shouldn't be necessary here, I think he gets automatically notified of any new threads here; certainly, he checks here regularly.
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
Thanks :) . look like the adversary already injected thousands of fake account into the system already (that my speculation).
Bryian Tan
-
Thanks :) . look like the adversary already injected thousands of fake account into the system already (that my speculation).
Bryian Tan
Which is odd, because the names are more distinctive of spam than the default "Member nnnnnnnn", but easy to find as a "bloc" because the MID's still stay pretty much contiguous. And I'd trust "Member nnnnnnnn" slightly more than "gdfsrysdeax" or similar ... :laugh:
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
