ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002131ClearOSapp-base - Base Systempublic2015-01-15 10:412015-12-17 11:49
Reporterdloper 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionduplicate 
PlatformOSOS Version
Product Version6.5.0 
Target Version6.7.0 UpdatesFixed in Version 
Summary0002131: Webconfig does not properly escape % in password fields
DescriptionThe percent character (%) is not properly escaped in Webconfig's login screen.
Steps To Reproducecreate password: clear%54

You will be able to log in via command line but not in Webconfig.
Additional InformationMay be related

http://php.net/manual/en/mysqli.real-escape-string.php [^]
TagsNo tags attached.
Attached Files

- Relationships
duplicate of 0000563closedbchambers Ampersand (&) character is not recognized by webconfig. 

-  Notes
(0001332)
dloper (administrator)
2015-01-15 13:30

Changing to public. Not exploitable.
(0001333)
dloper (administrator)
2015-01-15 13:35

This appears to be a failure of the browser to properly submit the % followed by two hexadecimally valid characters [0-9,a-f,A-F]. In the example above 'clear%54' is seen by the system as 'clearT'.

Passing the ascii code for '%' is a workaround for input. The input of 'clear%2554' would render as 'clear%54' in the form data using the fields that we use.

We will need to tweak the field to override this behavior in the web browser to eliminate this problem.

Confirmed on: Chrome, Safari, Firefox
(0001334)
dloper (administrator)
2015-01-15 15:57

http://en.wikipedia.org/wiki/Percent-encoding [^]
(0001337)
marclaporte (manager)
2015-01-20 20:40

Here are two similar issues we had in Tiki:

Password will not be accepted when using @ > or < in the password string (with or without LDAP)
https://dev.tiki.org/item4599 [^]

LDAP authentication doesn't support special characters like "æ,ø,å" in CN name.
https://dev.tiki.org/item3984 [^]

Since all kinds of apps can authenticate against ClearOS-LDAP, perhaps it would make sense to be able to restrict risky special characters in passwords? (and if so, have a JavaScript error message when the user tries to type that character)

Issues like this are hard to detect because most users are fine, and only some will have issues. And since the admin doesn't know the passwords, it's hard to detect the pattern.

- Issue History
Date Modified Username Field Change
2015-01-15 10:41 dloper New Issue
2015-01-15 13:30 dloper Note Added: 0001332
2015-01-15 13:30 dloper View Status private => public
2015-01-15 13:35 dloper Note Added: 0001333
2015-01-15 15:57 dloper Note Added: 0001334
2015-01-19 08:51 user2 Status new => confirmed
2015-01-19 08:51 user2 Target Version 6.6.0 => 6.6.0 Updates
2015-01-20 20:40 marclaporte Note Added: 0001337
2015-08-13 11:41 user2 Target Version 6.6.0 Updates => 6.7.0 Updates
2015-12-17 11:49 user2 Relationship added duplicate of 0000563
2015-12-17 11:49 user2 Status confirmed => resolved
2015-12-17 11:49 user2 Resolution open => duplicate
2015-12-17 11:49 user2 Assigned To => user2
2015-12-17 11:49 user2 Status resolved => closed