Bug: Quotes in password | Bitcointalksearch.org

K1773R

legendary

Activity: 1792

Merit: 1008

/dev/null

Quote from: theymos on November 25, 2012, 01:01:00 PM

Quote from: J-Norm on November 25, 2012, 11:20:56 AM

I was just about to say the same thing. When quotes or other odd characters cause strange bugs then that is a sign of potential vulnerability due to MYSQL injection.

I determined previously that the password is escaped too much, not under-escaped. SMF does escaping in an absolutely insane way, though, so I haven't been able to figure out how to fix this. The password doesn't even need to be escaped because it is hashed, but SMF automatically escapes all GET/POST input, and then sometimes unescapes it or escapes it more later. It's very difficult to follow.

is this already fixed?

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Nice bug report exxe! Thank you.

J-Norm

newbie

Activity: 56

Merit: 0

There is no point in normalizing passwords that are going to be hashed, the hashing normalizes them.

This seems like a design flaw. un_htmlspecialchars does not belong there.

deepceleron

legendary

Activity: 1512

Merit: 1036

Here's the same bug, older than dirt: http://www.simplemachines.org/community/index.php?topic=96927.0

It looks like the problem might be this in the LogInOut.php module, where it potentially alters the password before hashing it:

$sha_passwd = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));

but then in other places are inconsistent, like Profile.php, in resetting password function we see it's missing the "un_htmlspecialchars" when hashing:

if (!$good_password && $user_info['passwd'] != sha1(strtolower($cur_profile['member_name']) . $_POST['oldpasswrd']))
$post_errors[] = 'bad_password';

What does that blue function do?:

Syntax
void un_htmlspecialchars (string $text)

Parameter $text

Expected type: String
Description: string to be have htmlspecialchars removed.

Notes

removes the base entities (<, ", etc.) from text.
should be used instead of html_entity_decode for PHP version compatibility reasons.
additionally converts and '.

I have had similar headaches with buggy password managers and such, when using type-able characters such as <, >, that they get interpreted, stripped, or truncated (or even better, put into HTML raw without converting to > which breaks the HTML.)

exxe

full member

Activity: 187

Merit: 100

Quote from: 2112 on November 25, 2012, 01:23:41 PM

Maybe somebody changed the "magic_quites_" in php.ini?

Most likely magic quotes would have no effect if you have the same input.

PW change would update password to: hash('12345678\"')
Login would check: is hash('12345678\"') same as db hash => true

The problem is that it is escaped differently I guess.

2112

legendary

Activity: 2128

Merit: 1073

Maybe somebody changed the "magic_quites_" in php.ini?

exxe

full member

Activity: 187

Merit: 100

It could also be an unnecessary escape in the login code of course.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: J-Norm on November 25, 2012, 11:20:56 AM

I was just about to say the same thing. When quotes or other odd characters cause strange bugs then that is a sign of potential vulnerability due to MYSQL injection.

I determined previously that the password is escaped too much, not under-escaped. SMF does escaping in an absolutely insane way, though, so I haven't been able to figure out how to fix this. The password doesn't even need to be escaped because it is hashed, but SMF automatically escapes all GET/POST input, and then sometimes unescapes it or escapes it more later. It's very difficult to follow.

K1773R

legendary

Activity: 1792

Merit: 1008

/dev/null

Quote from: exxe on November 24, 2012, 06:20:18 AM

Steps to reproduce:
1. Go to profile and change your password to something like 12345678"
2. Now logout and try to login again.
3. Notice that your new password 12345678" and your old password don't work anymore.

Am I the only one who uses quotes in passwords? Cheesy

try 12345678\" as password Wink

if not then 12346789\\", increase the number of \ Tongue

J-Norm

newbie

Activity: 56

Merit: 0

Quote from: ThomasV on November 24, 2012, 06:47:35 AM

why did you choose 12345678" ?
this is a very boring choice... next time try something like 12345678"); DROP TABLE USERS;
it will be more fun

I was just about to say the same thing. When quotes or other odd characters cause strange bugs then that is a sign of potential vulnerability due to MYSQL injection.

Sometimes the password:

Code:

'); SELECT 1; --

will let you log into anyone on a poorly coded site.

See this plaintext link for lots of info on this sort of thing: http://www.greensql.com/articles/backdoor-webserver-using-mysql-sql-injection

I do hope this gets attention from the admins before it does from the hackers.

http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Clearnet - https://xkcd.com/327/

theymos

administrator

Activity: 5222

Merit: 13032

I think that the password gets double-escaped somewhere, but I haven't been able to find where this happens.

ThomasV

legendary

Activity: 1896

Merit: 1353

why did you choose 12345678" ?
this is a very boring choice... next time try something like 12345678"); DROP TABLE USERS;
it will be more fun

exxe

full member

Activity: 187

Merit: 100

Steps to reproduce:
1. Go to profile and change your password to something like 12345678"
2. Now logout and try to login again.
3. Notice that your new password 12345678" and your old password don't work anymore.

Am I the only one who uses quotes in passwords? Cheesy

Topic: Bug: Quotes in password (Read 1519 times)