View Issue Details

IDProjectCategoryView StatusLast Update
0001162Main CAcert Websitesource codepublic2020-05-22 11:33
ReporterUli60 Assigned ToINOPIAE  
PriorityhighSeveritytweakReproducibilityhave not tried
Status fix availableResolutionopen 
Product Version2013 Q2 
Summary0001162: calcutate (the passwords) hash in php instead of in mysql -> \\
Descriptionsubtitle: Increase in password problems after production environment upgrade (2013-04-03)

Support and Critical team received reports via several channels (email, irc) that people with special chars in their passwords had problems in logging on, recovering their passwords

Question to critical team about current state of "magic quotes" setting after migration is all OFF
magic quotes setting before migration was ON

The "magic quotes" feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0

The support of "magic quotes" probably also relates to other then passwords storage functions in the webdb code
I'll remember about a problem we had back in 2009 with multipled backslashes in comments fields. PG did some magical on the production system and fixed this problem (this was, before software assessment team started working)

global task: mimicry the "magic quotes" function in all php code in transfer data to and from mysql database
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001260 needs workBenBE Make the source compatible with recent PHP versions 
related to 0001172 closedBenBE Move the database engine from myISAM to InnoDB 
related to 0001031 fix availablePatrick Disable use of insecure function mysql_escape_string() 
related to 0000585 closed Issues with escaping on web-site e-mail forms 

Activities

INOPIAE

2013-04-22 20:35

updater   ~0003905

some hints taken from ticket s20130415.71
38 charcters
upper and lower case, numbers and these special characters <>:+-?@$&\#
did not work

25 charcters
upper and lower case, numbers and these special characters :$/{[),
did work

INOPIAE

2013-04-23 20:17

updater   ~0003908

some hints from the next ticket s20130422.77
@ seems to make problems

INOPIAE

2013-04-23 20:56

updater   ~0003913

pushed the fix with the exchange from mysql_escape_string to mysql_real_escape_string
https://github.com/INOPIAE/CAcert/commit/f0318d79dbc69e444fee4c085cdb3ee152318e1c

BenBE

2013-06-11 21:10

updater   ~0004047

On Testserver

Eva

2013-10-08 22:13

updater   ~0004375

Last edited: 2013-10-08 22:14

Changed Password to
a1<>:+-?@$&\#
and to
""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
and to
যেমন কিছু我的名字是 اسمي如東西таких как нечто
(bengal, easy chineese, space, arabic, classic chineese, russian)

Both were accepted and did not produce problems at the login afterwards.

Then I set the password as Admin again to
1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/

I could login without problems afterwards.

[However when I tried to reset my password to something quite easy I got an error because it was too short, but neither in the error message nor in the interface for resetting passwords I was informed how long a password has to be. (As SE I could set such a short PW.)]

=> ok

JensK

2013-10-20 13:44

reporter   ~0004399

Last edited: 2013-10-20 13:46

1. Changed password (as user) to:
a1<>:+-?@$&\#
""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
যেমন কিছু我的名字是 اسمي如東西таких как нечто
GP10xwzI5i

Login worked in all cases => OK

2. Set another user's password (as admin) to the same passwords as above

Login worked in all cases => OK

NEOatNHNG

2013-11-19 15:19

administrator   ~0004456

The proposed fix only replaces mysql_escape_string() by mysql_real_escape_string(). It does nothing to calculate the password hash in PHP instead of MySQL

=> Rejected

GuKKDevel

2015-12-11 10:08

updater   ~0005491

Last edited: 2015-12-11 14:58

Tried to solve the problem with:

https://github.com/CAcertOrg/cacert-devel/commit/2cb06760223218ca4b2a0482225d6fbfa77a63bb

and

https://github.com/CAcertOrg/cacert-devel/commit/a7eaa6d8e14ba7152e3ed3d200b30ad1eed68610

But didn't test, because I don't have a Testsystem so far.

Issue History

Date Modified Username Field Change
2013-04-17 08:15 Uli60 New Issue
2013-04-17 08:17 Uli60 Category account administration => source code
2013-04-17 13:21 BenBE Priority normal => high
2013-04-17 13:21 BenBE Severity minor => tweak
2013-04-17 13:21 BenBE Status new => confirmed
2013-04-17 13:21 BenBE Product Version => 2013 Q2
2013-04-22 20:35 INOPIAE Note Added: 0003905
2013-04-23 20:17 INOPIAE Note Added: 0003908
2013-04-23 20:56 INOPIAE Note Added: 0003913
2013-04-23 20:56 INOPIAE Assigned To => BenBE
2013-04-23 20:56 INOPIAE Status confirmed => fix available
2013-04-30 23:39 INOPIAE Relationship added related to 0001172
2013-05-15 05:59 INOPIAE Relationship added related to 0001031
2013-05-30 14:11 INOPIAE Relationship added related to 0000585
2013-06-11 20:35 BenBE Source_changeset_attached => cacert-devel testserver-stable 216271b2
2013-06-11 20:35 INOPIAE Source_changeset_attached => cacert-devel testserver-stable f0318d79
2013-06-11 21:10 BenBE Reviewed by => BenBE
2013-06-11 21:10 BenBE Note Added: 0004047
2013-06-11 21:10 BenBE Status fix available => needs review & testing
2013-09-21 06:01 BenBE Assigned To BenBE => egal
2013-10-08 22:13 Eva Note Added: 0004375
2013-10-08 22:14 Eva Note Edited: 0004375
2013-10-20 13:44 JensK Note Added: 0004399
2013-10-20 13:46 JensK Note Edited: 0004399
2013-10-20 14:45 BenBE Status needs review & testing => needs review
2013-11-19 15:19 NEOatNHNG Reviewed by BenBE =>
2013-11-19 15:19 NEOatNHNG Note Added: 0004456
2013-11-19 15:19 NEOatNHNG Status needs review => needs work
2014-03-19 10:55 BenBE Relationship added related to 0001260
2015-10-20 20:15 BenBE Assigned To egal => Eva
2015-12-11 10:08 GuKKDevel Note Added: 0005491
2015-12-11 10:11 GuKKDevel Note Edited: 0005491
2015-12-11 14:58 GuKKDevel Note Edited: 0005491
2016-02-11 23:32 BenBE Assigned To Eva => INOPIAE
2016-02-11 23:32 BenBE Status needs work => fix available