ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002131ClearOSapp-base - Base Systempublic2015-01-15 10:412015-12-17 11:49
Reporterdloper 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionduplicate 
PlatformOSOS Version
Product Version6.5.0 
Target Version6.7.0 UpdatesFixed in Version 
Summary0002131: Webconfig does not properly escape % in password fields
DescriptionThe percent character (%) is not properly escaped in Webconfig's login screen.
Steps To Reproducecreate password: clear%54

You will be able to log in via command line but not in Webconfig.
Additional InformationMay be related

http://php.net/manual/en/mysqli.real-escape-string.php [^]
TagsNo tags attached.
Relationships
duplicate of 0000563closed bchambers Ampersand (&) character is not recognized by webconfig. 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-01-15 10:41dloperNew Issue
2015-01-15 13:30dloperNote Added: 0001332
2015-01-15 13:30dloperView Statusprivate => public
2015-01-15 13:35dloperNote Added: 0001333
2015-01-15 15:57dloperNote Added: 0001334
2015-01-19 08:51user2Statusnew => confirmed
2015-01-19 08:51user2Target Version6.6.0 => 6.6.0 Updates
2015-01-20 20:40marclaporteNote Added: 0001337
2015-08-13 11:41user2Target Version6.6.0 Updates => 6.7.0 Updates
2015-12-17 11:49user2Relationship addedduplicate of 0000563
2015-12-17 11:49user2Statusconfirmed => resolved
2015-12-17 11:49user2Resolutionopen => duplicate
2015-12-17 11:49user2Assigned To => user2
2015-12-17 11:49user2Statusresolved => closed

Notes
(0001332)
dloper   
2015-01-15 13:30   
Changing to public. Not exploitable.
(0001333)
dloper   
2015-01-15 13:35   
This appears to be a failure of the browser to properly submit the % followed by two hexadecimally valid characters [0-9,a-f,A-F]. In the example above 'clear%54' is seen by the system as 'clearT'.

Passing the ascii code for '%' is a workaround for input. The input of 'clear%2554' would render as 'clear%54' in the form data using the fields that we use.

We will need to tweak the field to override this behavior in the web browser to eliminate this problem.

Confirmed on: Chrome, Safari, Firefox
(0001334)
dloper   
2015-01-15 15:57   
http://en.wikipedia.org/wiki/Percent-encoding [^]
(0001337)
marclaporte   
2015-01-20 20:40   
Here are two similar issues we had in Tiki:

Password will not be accepted when using @ > or < in the password string (with or without LDAP)
https://dev.tiki.org/item4599 [^]

LDAP authentication doesn't support special characters like "æ,ø,å" in CN name.
https://dev.tiki.org/item3984 [^]

Since all kinds of apps can authenticate against ClearOS-LDAP, perhaps it would make sense to be able to restrict risky special characters in passwords? (and if so, have a JavaScript error message when the user tries to type that character)

Issues like this are hard to detect because most users are fine, and only some will have issues. And since the admin doesn't know the passwords, it's hard to detect the pattern.