[Resolved] Bypass protection with URL-encoded null bytes
The protection offered by stop-user-enumeration 1.2.4 may be bypassed by adding a URL-encoded null byte (‘%00’) between ‘author’ and ‘=’ in the URL query string. The URL-encoded null byte may be extended with any combination of additional zeros and/or percent characters.
Proposed change to the regexes here:
- The topic ‘[Resolved] Bypass protection with URL-encoded null bytes’ is closed to new replies.