[BlueOnyx:21871] Re: GUI Login issue for user admin (5209R)

[Michael Stauber]

Hi RC,

> Did you get it fixed? If what was / is the fix

Since a year or two the GUI only allows user-passwords that conform to
the following standards:

6-24 characters, any alphanumeric character plus: !#$%()*+,-.:;=

The GUI login page would still allow *all* characters, though.

On Tuesday this week I was informed by Paul Marsh from
SecQuest Information Security Ltd (www.secquest.co.uk) that the BlueOnyx
GUI's login page was vulnerable to XSS attacks.

I could confirm his report and published an update base-alpine within 12
hours of being notified about the problem.

The issue was that the login page (contrary to any subsequent GUI page)
did not disallow problematic characters being entered into the
"Username" or "Password" field. Which would allow an attacker to break
out of the HTML form and to include JavaScript code into the GUI page
while it was being accessed in a browser. To be used in a successful
attack the visitors PC or his browser must already be compromised via
other means. Hence stand alone the XSS vulnerability of the GUI login
page wasn't supercritical. Nonetheless: We needed to fix it.

The updated base-alpine now makes sure that the "Username" and
"Password" fields of the login form accept only passwords that are in
the same format that's being used on the GUI pages where the passwords
can be set or changed.

Means:
======

Usernames:
----------

alphanumerics, dot, underscore or minus.

Passwords:
----------

6-24 characters, any alphanumeric character plus: !#$%()*+,-.:;=

If you previously had set a password from the command line via
"htpasswd" that contains unallowed characters, then login by SSH as
admin/root (that still works) and use "passwd" to change the password to
something that contains nothing but the allowed characters.

-- 
With best regards

Michael Stauber