243303 - createaccount.cgi allowing possible overloading of user table

Status: VERIFIED DUPLICATE of bug 87795

(Bugzilla :: User Accounts, enhancement)

Description

[Mat Schaffer]

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1
Build Identifier: 

It seems like a malicious user could use createaccount.cgi to create a very large ammount of users, 
resulting is a bloated user table and potential performanace problems.

Possible solutions (from an outsider perspective):
- have createaccount.cgi make accounts in a seperate table.  Create the entry in the users table on first 
login of the user.  
- have createaccount.cgi created accounts expire after some time if no-one has ever logged in on that 
account
- offer an option somewhere to purge any accounts that have never been used (Sanity Check warning?)

My apologies if this is has been already requested, but none of the bug summaries seemed to fit the 
bill.


Reproducible: Always
Steps to Reproduce:
1. go to http://powerphunk.local/bugzilla/createaccount.cgi
2. enter falsified information
3. click "Create Account"
4. repeat many many many times

Comment 1

[Dave Miller [:justdave]]

Aside from the direct dupe (responding to your question on IRC that I saw after
you left) 2.17.5 and up also have a "createemailregexp" param which defines a
regular expression that the email address of anyone signing up must match.  If
you leave that param blank, it completely disables account creation (removes all
the links and everything).

*** This bug has been marked as a duplicate of 87795 ***