ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000070ClearOSclearos-frameworkpublic2010-04-08 20:572010-07-20 12:42
Reporterbchambers 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.1 
Target Version5.2Fixed in Version5.2 
Summary0000070: Selecting root or user password with < or > characters prevents webconfig login
Description< and > are valid characters for a password that can be used to select the root password during installation and (possibly, not verified) used when creating user accounts or resetting a password.

/var/webconfig/gui/Webconfig.inc.php has a "WebCheckFormVariables" method which barfs "Invalid form variable" when it sees a < or >.

This makes logging into webconfig impossible.
Additional InformationTo duplicate, set root password to something like:

bob>123

using passwd utility.

Then, try logging to webconfig as root.
TagsNo tags attached.
Attached Files

- Relationships
related to 0000012closeduser2 Invalid character using asterisk 

-  Notes
(0000174)
user2
2010-06-09 11:49

Source Code Changelog
---------------------------------------------------
- Created a workaround for basic XSS check and logins [fixed tracker 0000070]

File Changes
---------------------------------------------------
U legacy/webconfig/trunk/gui/Webconfig.inc.php

- Issue History
Date Modified Username Field Change
2010-04-08 20:57 bchambers New Issue
2010-04-10 11:12 user2 Relationship added related to 0000012
2010-04-10 11:12 user2 Severity major => minor
2010-04-10 11:12 user2 Status new => confirmed
2010-04-29 12:34 user2 Checkin
2010-04-29 12:34 user2 Note Added: 0000098
2010-04-29 12:35 user2 Note Deleted: 0000098
2010-06-09 11:49 user2 Checkin
2010-06-09 11:49 user2 Note Added: 0000174
2010-06-09 11:49 user2 Status confirmed => resolved
2010-06-09 11:49 user2 Resolution open => fixed
2010-06-09 11:50 user2 Fixed in Version => 5.2
2010-06-09 11:50 user2 Target Version => 5.2
2010-07-20 12:42 user2 Status resolved => closed