Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10184

Bots can be sent private messages


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.12-RC1
    • Labels:
    • Environment:
      all environments - this bug exists on every phpBB installation.



      It is possible to send PMs to bots (3.0.8)!
      Bots are not visible at the member page, but there is a way to access their profile, however:

      [*]Open a users profile.
      [*]Edit the adress bar (change the User-ID - In my case, Bing[bot] was ID 63).
      [*]The bot has got an profile! And he has got an "PM"-button, too.
      [*]Using this button, you can write personal messages to bots. Nobody will ever realize that the bot has got messages, but they are able to flood the forums database and evil users could use this to overload it (with attachments etc.).

      Even an administrator of the forum is not able to view the messages of other users, so it is not possible to delete such messages! :shock:
      An evil user is able to flood the forums's server with [Number of bot-accounts] * [PM inbox limit] * [forum attachment limit MB] MB of undeleteable attachments. If there are 50 bot accounts and the inbox limit is 50 messages and the attachment limit is 1 MB, this means it is possible to send 2500 MB = 2,5 Gigabytes of attachments to bot accounts!

      I suggest turning user_allow_PM off for bot accounts by default.

      I am attaching a screenshot.

      Sorry for my bad english. :|
      If you were not able to follow the steps, I will make a screencapture.



          Issue Links



              • Assignee:
                nickvergessen Joas Schilling
                ToBeFree Tobias Frei
              • Votes:
                0 Vote for this issue
                0 Start watching this issue


                • Created: