• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug  Password when creating new acct

#1
On the log in page I clicked Create New and entered my email address but the password box was unavailable. I changed the radio button back to existing account and the password box became available. So, I entered my password and then changed it to Create New and it accepted both the username and the password.

I was using FireFox 3.X
 

Brandon

Active member
#2
so you're saying the password should be cleared on submit when creating a new user account.

the rest of what you described I would expect as normal behavior.
 

Nick

Well-known member
#3
When you say "login page" are you referring to the login area that appears at the top of the screen, or the actual registration page?
 
#4
I didn't see a registration page.

I saw a login with username and password box. Between them were two radio buttons. One said Create New Acct (or similar) the other said "Existing Account" (or similar). It seemed obvious that I could put in a username and password and click "Create New Acct" to register. But when the "Create New Acct" radio button was checked I could enter a username but not a password.

By clicking "Existing Acct" I could fill in both a username AND a password -- and then click Create New Acct and when submitted that registered my new acct.

It seems, that "Create New Acct" should either take me to a dedicated registration screen, OR it should let me pick a username and a password to begin the registration process.

Maybe, it shouldn't have worked at all -- but it worked in a totally unexpected way.
 

Erik

Well-known member
#5
The intended behavior is that you enter a username, check the "Create New Account" radio button, and then click Sign Up without entering a password. You'll then be taken to a new registration page:


It seems like you've found a hole whereby you can create a new account directly from the login form by doing some trickery with the radio buttons and password field. In other words, it should not have registered a new account for you. :)

I would actually classify this as a semi-serious security hole that needs to be fixed ASAP, as it allows anyone to register accounts without any email address entered, DOB, or any sort of anti-spam measures.
 

Erik

Well-known member
#7
I don't think it would/could actually create an account directly from there...
I don't think it could either, but that's what it sounds like from the OP's description, although I could have misinterpreted. At the very least I would test it out. :)

EDIT: I can confirm, I just tested this (tried to create a new account), and it does not work as the OP described. It just brings me to the new registration page as expected. So, doesn't look like there's a bug at all. :)
 

Mike

XenForo developer
Staff member
#8
I think he may have just been confused by the interface, thinking that the password had to be specified as well, while the password is actually depending on having an existing account.
 
#10
I sure "think" I created an account there -- but probably all it did was take me to the Create account page and I thought it was a second part of the process.

Either way -- it wasn't 100% clear. It would be better to have a create account submit type button, rather than have it be part of the Login like that.