[BlueOnyx:19582] Re: Passwords on 5106R

Michael Stauber mstauber at blueonyx.it
Tue May 17 11:20:57 -05 2016 

Hi Dirk,

> one of our customer is complaining that " and + are not 
> accepted by the GUI (he thinks ~ since 2 weeks).
> Where there some changes in the last days/ weeks?

No updates of any significance were released for 5106R, 5107R or 5108R
in the last couple of weeks.

However: On 5207R, 5208R and 5209R I revised the password mechanism
after a discussion here on the list. See: [BlueOnyx:19548]

It's as follows: The new GUI uses XSS protection by default. Means:
It'll sanitizes all POST requests (and URL parameters) to prevent that
someone uses XSS attacks. There is even one character it not only
sanitizes, but totally and utterly rips out and replaces with nothing.
That's the ampersand: "&".

So in the new GUI we have never been able to use ampersand in a
password. Simply because CodeIgniter's XSS protection just removes it
from any POST request or URL variable.

However, there are other characters that are equally problematic due to
our architecture and get "lost in translation" somewhere at the seams
between PHP, CodeIgniter, Perl-Handlers, the cce.so PHP module, CCEd and
CODB.

So I did some analysis which characters are problematic and modified the
"strong password check" in the GUI to actually show you if you're using
a "forbidden" character in a password. You then get the error message
"Password contains illegal characters."

As "forbidden" or "illegal" we simply label anything that we can't
handle properly.

These updates were then published for 5207R, 5208R and 5209R about two
weeks ago.

  Forbidden:
  ==========
  Anything between octal 001 and 040 control chars and space
  Octal \042, which means: "
  Octal \046, which means: &
  Octal \047, which means: '
  Octal \057, which means: /
  Octal \074, which means: <
  Octal \076, which means: >
  Octal \077, which means: ?
  Octal \100, which means: @
  Octal \133-\140, which means: [ \ ] ^ _ `
  Octal \173-\177, which means: { | } ~ and DELete key.
  For octal codes see:
https://courses.engr.illinois.edu/ece390/books/labmanual/ascii-code-table.html


  Still allowed chars:
  ====================
  Any alphanumeric character and these: !#$%()*+,-.:;=

So your client is probably not having this issue on any BlueOnyx with
the old GUI, but rather one with the new GUI. And yes: There the above
listed "forbidden" characters will no longer be accepted as new passwords.

The *only* forbidden character that we can't warn against is the
ampersand (&), as the PHP page that checks passwords actually won't see
the ampersand as the XSS protection has already removed it from the
input before we can check if it's present.

So the plus sign (+) is still allowed. Single or double quotes aren't.
They may have worked for user account passwords before, but as MySQL
passwords they have always been problematic. And I rather have the same
password mechanism for both user account passwords as well as MySQL
passwords.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list