[BlueOnyx:19585] Re: Passwords on 5106R

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Tue May 17 16:24:41 -05 2016 

Michael,

oh sorry. My mistake.
The customer who is complaining have a 5209R.
For this server the " and + in passwords seems not to be working since some days/weeks.

Best regards,
Dirk


-----------------------------------------------
blackpoint GmbH - Friedberger Straße 106 - 61118 Bad Vilbel

Geschäftsführer
Tel.: +49 6101 65788 20
Fax: +49 6101 65788 99
eMail: dirk.estenfeld at blackpoint.de

Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 Frankfurt am Main USt.-IdNr. de210106871


Besuchen Sie uns im Internet unter http://www.blackpoint.de
 
Problemlos Domains registrieren: http://www.edns.de

Einfach und günstig Daten sichern: https://www.back2web.de

Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Dienstag, 17. Mai 2016 18:21
An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Betreff: [BlueOnyx:19582] Re: Passwords on 5106R

Hi Dirk,

> one of our customer is complaining that " and + are not 
> accepted by the GUI (he thinks ~ since 2 weeks).
> Where there some changes in the last days/ weeks?

No updates of any significance were released for 5106R, 5107R or 5108R
in the last couple of weeks.

However: On 5207R, 5208R and 5209R I revised the password mechanism
after a discussion here on the list. See: [BlueOnyx:19548]

It's as follows: The new GUI uses XSS protection by default. Means:
It'll sanitizes all POST requests (and URL parameters) to prevent that
someone uses XSS attacks. There is even one character it not only
sanitizes, but totally and utterly rips out and replaces with nothing.
That's the ampersand: "&".

So in the new GUI we have never been able to use ampersand in a
password. Simply because CodeIgniter's XSS protection just removes it
from any POST request or URL variable.

However, there are other characters that are equally problematic due to
our architecture and get "lost in translation" somewhere at the seams
between PHP, CodeIgniter, Perl-Handlers, the cce.so PHP module, CCEd and
CODB.

So I did some analysis which characters are problematic and modified the
"strong password check" in the GUI to actually show you if you're using
a "forbidden" character in a password. You then get the error message
"Password contains illegal characters."

As "forbidden" or "illegal" we simply label anything that we can't
handle properly.

These updates were then published for 5207R, 5208R and 5209R about two
weeks ago.

  Forbidden:
  ==========
  Anything between octal 001 and 040 control chars and space
  Octal \042, which means: "
  Octal \046, which means: &
  Octal \047, which means: '
  Octal \057, which means: /
  Octal \074, which means: <
  Octal \076, which means: >
  Octal \077, which means: ?
  Octal \100, which means: @
  Octal \133-\140, which means: [ \ ] ^ _ `
  Octal \173-\177, which means: { | } ~ and DELete key.
  For octal codes see:
https://courses.engr.illinois.edu/ece390/books/labmanual/ascii-code-table.html


  Still allowed chars:
  ====================
  Any alphanumeric character and these: !#$%()*+,-.:;=

So your client is probably not having this issue on any BlueOnyx with
the old GUI, but rather one with the new GUI. And yes: There the above
listed "forbidden" characters will no longer be accepted as new passwords.

The *only* forbidden character that we can't warn against is the
ampersand (&), as the PHP page that checks passwords actually won't see
the ampersand as the XSS protection has already removed it from the
input before we can check if it's present.

So the plus sign (+) is still allowed. Single or double quotes aren't.
They may have worked for user account passwords before, but as MySQL
passwords they have always been problematic. And I rather have the same
password mechanism for both user account passwords as well as MySQL
passwords.

-- 
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list