Potential security issue in all vB versions

Dear Customers,

A possible security issue within vbulletin has been identified. There isn't a patch so to speak, so I don't think vb will be making a release notice about this. I just want to make sure all of our customers are aware of the potential risk in leaving user names wide open.

Floren brought this up here:
Security flaw found in all vBulletin versions - Axivo Forums

There is a discussion thread on vb about the issue here along with a regex fix for user names:
vBulletin Community Forum

The only fix available is to filter your usernames and allow only alphanumeric characters, when a guest tries to register.
Go to vBulletin Options and select the User Registration Options menu.
Into Username Regular Expression field, enter:

Code:

^[a-zA-Z0-9@\._ ]+$

My article written years ago uses a similar rule, but i allow just spaces instead of . _ and @ along with the space. With vbseo, spaces will turn into "-", and so will "_" in the url, so it's a good idea to not allow both spaces and any other semi-special character if you don't use id's in any member area rewrite settings. Your choice.

Thanks for informing the users, Brian.

Hello Brian,

Thank you for informing us .

Spanish customers:

Riesgo de seguridad encontrado en versiones anteriores a vBulletin 3.8.6 PL1

Thank you!

Thank you for the news Brian

So how would I turn this
^[a-zA-Z0-9@\._ ]+$

into something that would be more optimal to be used with Vbseo like you said?
Why is it a bad idea to allow @ and dot? Basically how should the above look if it only allows big small letters, numbers and _'s or space (whichever is better to use).

Also, what would happen to all the users that already registered with using different types of characters?

Thank You!

Please post all your questions about this issue on vBulletin.com

Closing this thread as this discussion should be normally posted on vB.com and it should not exist on vBSEO.com at all.