View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001162 | Main CAcert Website | source code | public | 2013-04-17 08:15 | 2020-05-22 11:33 |
Reporter | Uli60 | Assigned To | INOPIAE | ||
Priority | high | Severity | tweak | Reproducibility | have not tried |
Status | fix available | Resolution | open | ||
Product Version | 2013 Q2 | ||||
Summary | 0001162: calcutate (the passwords) hash in php instead of in mysql -> \\ | ||||
Description | subtitle: Increase in password problems after production environment upgrade (2013-04-03) Support and Critical team received reports via several channels (email, irc) that people with special chars in their passwords had problems in logging on, recovering their passwords Question to critical team about current state of "magic quotes" setting after migration is all OFF magic quotes setting before migration was ON The "magic quotes" feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 The support of "magic quotes" probably also relates to other then passwords storage functions in the webdb code I'll remember about a problem we had back in 2009 with multipled backslashes in comments fields. PG did some magical on the production system and fixed this problem (this was, before software assessment team started working) global task: mimicry the "magic quotes" function in all php code in transfer data to and from mysql database | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
related to | 0001260 | needs work | BenBE | Make the source compatible with recent PHP versions |
related to | 0001172 | closed | BenBE | Move the database engine from myISAM to InnoDB |
related to | 0001031 | fix available | Patrick | Disable use of insecure function mysql_escape_string() |
related to | 0000585 | closed | Issues with escaping on web-site e-mail forms |
|
some hints taken from ticket s20130415.71 38 charcters upper and lower case, numbers and these special characters <>:+-?@$&\# did not work 25 charcters upper and lower case, numbers and these special characters :$/{[), did work |
|
some hints from the next ticket s20130422.77 @ seems to make problems |
|
pushed the fix with the exchange from mysql_escape_string to mysql_real_escape_string https://github.com/INOPIAE/CAcert/commit/f0318d79dbc69e444fee4c085cdb3ee152318e1c |
|
On Testserver |
|
Changed Password to a1<>:+-?@$&\# and to ""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/ and to যেমন কিছু我的名字是 اسمي如東西таких как нечто (bengal, easy chineese, space, arabic, classic chineese, russian) Both were accepted and did not produce problems at the login afterwards. Then I set the password as Admin again to 1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/ I could login without problems afterwards. [However when I tried to reset my password to something quite easy I got an error because it was too short, but neither in the error message nor in the interface for resetting passwords I was informed how long a password has to be. (As SE I could set such a short PW.)] => ok |
|
1. Changed password (as user) to: a1<>:+-?@$&\# ""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/ যেমন কিছু我的名字是 اسمي如東西таких как нечто GP10xwzI5i Login worked in all cases => OK 2. Set another user's password (as admin) to the same passwords as above Login worked in all cases => OK |
|
The proposed fix only replaces mysql_escape_string() by mysql_real_escape_string(). It does nothing to calculate the password hash in PHP instead of MySQL => Rejected |
|
Tried to solve the problem with: https://github.com/CAcertOrg/cacert-devel/commit/2cb06760223218ca4b2a0482225d6fbfa77a63bb and https://github.com/CAcertOrg/cacert-devel/commit/a7eaa6d8e14ba7152e3ed3d200b30ad1eed68610 But didn't test, because I don't have a Testsystem so far. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-04-17 08:15 | Uli60 | New Issue | |
2013-04-17 08:17 | Uli60 | Category | account administration => source code |
2013-04-17 13:21 | BenBE | Priority | normal => high |
2013-04-17 13:21 | BenBE | Severity | minor => tweak |
2013-04-17 13:21 | BenBE | Status | new => confirmed |
2013-04-17 13:21 | BenBE | Product Version | => 2013 Q2 |
2013-04-22 20:35 | INOPIAE | Note Added: 0003905 | |
2013-04-23 20:17 | INOPIAE | Note Added: 0003908 | |
2013-04-23 20:56 | INOPIAE | Note Added: 0003913 | |
2013-04-23 20:56 | INOPIAE | Assigned To | => BenBE |
2013-04-23 20:56 | INOPIAE | Status | confirmed => fix available |
2013-04-30 23:39 | INOPIAE | Relationship added | related to 0001172 |
2013-05-15 05:59 | INOPIAE | Relationship added | related to 0001031 |
2013-05-30 14:11 | INOPIAE | Relationship added | related to 0000585 |
2013-06-11 20:35 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 216271b2 |
2013-06-11 20:35 | INOPIAE | Source_changeset_attached | => cacert-devel testserver-stable f0318d79 |
2013-06-11 21:10 | BenBE | Reviewed by | => BenBE |
2013-06-11 21:10 | BenBE | Note Added: 0004047 | |
2013-06-11 21:10 | BenBE | Status | fix available => needs review & testing |
2013-09-21 06:01 | BenBE | Assigned To | BenBE => egal |
2013-10-08 22:13 | Eva | Note Added: 0004375 | |
2013-10-08 22:14 | Eva | Note Edited: 0004375 | |
2013-10-20 13:44 | JensK | Note Added: 0004399 | |
2013-10-20 13:46 | JensK | Note Edited: 0004399 | |
2013-10-20 14:45 | BenBE | Status | needs review & testing => needs review |
2013-11-19 15:19 | NEOatNHNG | Reviewed by | BenBE => |
2013-11-19 15:19 | NEOatNHNG | Note Added: 0004456 | |
2013-11-19 15:19 | NEOatNHNG | Status | needs review => needs work |
2014-03-19 10:55 | BenBE | Relationship added | related to 0001260 |
2015-10-20 20:15 | BenBE | Assigned To | egal => Eva |
2015-12-11 10:08 | GuKKDevel | Note Added: 0005491 | |
2015-12-11 10:11 | GuKKDevel | Note Edited: 0005491 | |
2015-12-11 14:58 | GuKKDevel | Note Edited: 0005491 | |
2016-02-11 23:32 | BenBE | Assigned To | Eva => INOPIAE |
2016-02-11 23:32 | BenBE | Status | needs work => fix available |