Joomla! Issue Tracker | Joomla! CMS #19438 - Send spam through user registration

Closed
28 Feb 2018
Medium
Build: staging
# 19438

yoerin
23 Jan 2018

Steps to reproduce the issue

Set user activation to 'Admin' and allow user registration.

Submit the registration form where the name of the user is spam text and enter an email to spam (use a test email for this ofcourse)

Expected result

No email send to the user

Actual result

The email that is used to register an account receives an email and because the name of the user contains spam text this text is placed in the email.

Additional comments

Ad an option to turn off all emails after registration or putt a variable limitation on the username

yoerin - open - 23 Jan 2018

joomla-cms-bot - change - 23 Jan 2018

Labels

Added: ?

joomla-cms-bot - labeled - 23 Jan 2018

joomla-cms-bot - edited - 23 Jan 2018

franz-wohlkoenig - change - 23 Jan 2018

Category

⇒

Authentication com_users

Fedik - comment - 23 Jan 2018

just enable Captcha for registration:

franz-wohlkoenig - change - 23 Jan 2018

Status

New

⇒

Discussion

brianteeman - comment - 24 Jan 2018

the username field is only 30 characters of text - not very useful for sending spam

franz-wohlkoenig - change - 25 Jan 2018

Status

Discussion

⇒

Information Required

Quy - comment - 1 Feb 2018

While the username field has a size attribute of 30, it can be up to 150 characters long.

brianteeman - comment - 2 Feb 2018

@Quy the database table allows it to be 150 but the "spammer" can still only submit 30 characters

Quy - comment - 2 Feb 2018

More than 150 characters can be entered but it will be truncated at 150. I created a 150 characters username.

brianteeman - comment - 2 Feb 2018

I only tested in the admin where you can only submit 30

Quy - comment - 2 Feb 2018

Ok then the issue is the front end registration allowing up to 150 characters.

brianteeman - comment - 2 Feb 2018

So that's a bug and will cause issues if a long username is created on the fronted and then edited in the admin. I will take a look at fixing that

brianteeman - comment - 2 Feb 2018

Sorry my mistake you can enter 150 characters in both admin and frontend - I must have had a different error before that was unrelated

sandewt - comment - 2 Feb 2018

The Name is up to 400 characters long. Could also be shorter.

Moreover, it can break the layout of the site (backend + frontend) .

See the image.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19438.}

Quy - comment - 11 Feb 2018

Related #14275

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19438.}

Quy - change - 28 Feb 2018

Status	Information Required	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2018-02-28 02:21:35
Closed_By		⇒	Quy

joomla-cms-bot - change - 28 Feb 2018

Closed_Date	2018-02-28 02:21:35	⇒	2018-02-28 02:21:36
Closed_By	Quy	⇒	joomla-cms-bot

joomla-cms-bot - close - 28 Feb 2018

joomla-cms-bot - comment - 28 Feb 2018

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/19438

Quy - comment - 28 Feb 2018

Lets discuss in #14275 as it relates to more control over username/email which would address spam abuse as mentioned in this issue.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19438.}

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#19438] - Send spam through user registration

Steps to reproduce the issue

Expected result

Actual result

Additional comments

Add a Comment