Anonymous | Login | 2024-11-21 07:26 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0002131 | ClearOS | app-base - Base System | public | 2015-01-15 10:41 | 2015-12-17 11:49 | ||||
Reporter | dloper | ||||||||
Assigned To | user2 | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | duplicate | ||||||
Platform | OS | OS Version | |||||||
Product Version | 6.5.0 | ||||||||
Target Version | 6.7.0 Updates | Fixed in Version | |||||||
Summary | 0002131: Webconfig does not properly escape % in password fields | ||||||||
Description | The percent character (%) is not properly escaped in Webconfig's login screen. | ||||||||
Steps To Reproduce | create password: clear%54 You will be able to log in via command line but not in Webconfig. | ||||||||
Additional Information | May be related http://php.net/manual/en/mysqli.real-escape-string.php [^] | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Relationships | ||||||
|
Notes | |
(0001332) dloper (administrator) 2015-01-15 13:30 |
Changing to public. Not exploitable. |
(0001333) dloper (administrator) 2015-01-15 13:35 |
This appears to be a failure of the browser to properly submit the % followed by two hexadecimally valid characters [0-9,a-f,A-F]. In the example above 'clear%54' is seen by the system as 'clearT'. Passing the ascii code for '%' is a workaround for input. The input of 'clear%2554' would render as 'clear%54' in the form data using the fields that we use. We will need to tweak the field to override this behavior in the web browser to eliminate this problem. Confirmed on: Chrome, Safari, Firefox |
(0001334) dloper (administrator) 2015-01-15 15:57 |
http://en.wikipedia.org/wiki/Percent-encoding [^] |
(0001337) marclaporte (manager) 2015-01-20 20:40 |
Here are two similar issues we had in Tiki: Password will not be accepted when using @ > or < in the password string (with or without LDAP) https://dev.tiki.org/item4599 [^] LDAP authentication doesn't support special characters like "æ,ø,å" in CN name. https://dev.tiki.org/item3984 [^] Since all kinds of apps can authenticate against ClearOS-LDAP, perhaps it would make sense to be able to restrict risky special characters in passwords? (and if so, have a JavaScript error message when the user tries to type that character) Issues like this are hard to detect because most users are fine, and only some will have issues. And since the admin doesn't know the passwords, it's hard to detect the pattern. |
Issue History | |||
Date Modified | Username | Field | Change |
2015-01-15 10:41 | dloper | New Issue | |
2015-01-15 13:30 | dloper | Note Added: 0001332 | |
2015-01-15 13:30 | dloper | View Status | private => public |
2015-01-15 13:35 | dloper | Note Added: 0001333 | |
2015-01-15 15:57 | dloper | Note Added: 0001334 | |
2015-01-19 08:51 | user2 | Status | new => confirmed |
2015-01-19 08:51 | user2 | Target Version | 6.6.0 => 6.6.0 Updates |
2015-01-20 20:40 | marclaporte | Note Added: 0001337 | |
2015-08-13 11:41 | user2 | Target Version | 6.6.0 Updates => 6.7.0 Updates |
2015-12-17 11:49 | user2 | Relationship added | duplicate of 0000563 |
2015-12-17 11:49 | user2 | Status | confirmed => resolved |
2015-12-17 11:49 | user2 | Resolution | open => duplicate |
2015-12-17 11:49 | user2 | Assigned To | => user2 |
2015-12-17 11:49 | user2 | Status | resolved => closed |