Bug 245278 - Changing to a password with a single quote does not work
Changing to a password with a single quote does not work
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Console (Show other bugs)
1.0.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 434915 389_1.3.0
  Show dependency treegraph
 
Reported: 2007-06-21 23:41 EDT by David Keegel
Modified: 2015-01-04 18:27 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-16 12:24:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
389-admin-console: git patch file (master) (2.54 KB, patch)
2011-02-11 15:08 EST, Noriko Hosoi
no flags Details | Diff
389-admin-console: git patch file (master) (2.63 KB, patch)
2011-02-11 15:15 EST, Noriko Hosoi
no flags Details | Diff
AS: git patch file (master) (1.17 KB, patch)
2011-02-11 18:39 EST, Noriko Hosoi
rmeggins: review+
Details | Diff
AS: git patch file (master) (2.96 KB, patch)
2011-02-12 21:49 EST, Noriko Hosoi
nkinder: review+
rmeggins: review+
Details | Diff

  None (edit)
Description David Keegel 2007-06-21 23:41:20 EDT
Description of problem:
Using the Console to change the admin password to a new password with 
a single quote (') in it does not work as expected - the password is actually
set to a different value.

Version-Release number of selected component (if applicable):
Fedora-DS 1.0.4

How reproducible:
Very

Steps to Reproduce:
1. Login to Directory Management Console
2. Change admin password to pass'word
3. Try to login again to Directory Manangement Console
  
Actual results:
Should be able to login to console with user="admin", password="pass'word"

Expected results:
Console gives error saying user/password is incorrect.

Additional info:
uffe reports that the password is url-encoded from pass'word to pass%27word.
Comment 4 David Keegel 2009-02-12 20:29:31 EST
Hmm, I think I swapped actual & expected results above.

The upshot is that if you change to a password with a single quote (apostrophe) in it, then you will *not* be able to login to the Console with that new password.
This can leave sysadmins with no way to login to FDS, which is really bad.

Could the change password screen at least display a warning or error if the new password has funny characters in it?  That would give you a clue that you should change the password before you get locked out of the Console (next time you try to login).
Comment 5 Rich Megginson 2009-02-13 10:26:28 EST
Have you tried to reproduce this problem with the latest Fedora DS 1.1.3 and other latest components (especially fedora-ds-admin 1.1.6 and adminutil 1.1.7)?  There were some fixes made in the url encoding/decoding area that may have helped with this problem.
Comment 7 Noriko Hosoi 2011-02-11 14:40:07 EST
(In reply to comment #5)
> Have you tried to reproduce this problem with the latest Fedora DS 1.1.3 and
> other latest components (especially fedora-ds-admin 1.1.6 and adminutil 1.1.7)?
>  There were some fixes made in the url encoding/decoding area that may have
> helped with this problem.

This bug still in this combination:
389-console-1.1.4-1.fc13.noarch
389-ds-console-doc-1.2.3-1.fc13.noarch
389-admin-console-1.1.5-1.fc13.noarch
389-admin-1.1.14-1.fc13.x86_64
389-ds-base-1.2.8-0.1.a1.fc13.x86_64

If you update password from Admin Console | COnfiguration | Access,
pass'word is converted to pass%27word.

If it is on the Directory Console | Edit Entry, 
pass'word is passed with no change.
Comment 8 Noriko Hosoi 2011-02-11 15:08:36 EST
Created attachment 478303 [details]
389-admin-console: git patch file (master)

Description: The save method in CGIAccessSetup "encodes" the admin
password with URLByteEncoder.encodeUTF8, which escapes a string in
the HTML safe manner, which should not be done for the password.
Comment 9 Noriko Hosoi 2011-02-11 15:15:23 EST
Created attachment 478306 [details]
389-admin-console: git patch file (master)
Comment 10 Noriko Hosoi 2011-02-11 15:19:41 EST
Note: The console password field does not accept non-ascii characters at all.  Input method does not get enabled for the field.  If you force to input non-ascii characters with copy&paste, the characters are simply dropped.
E.g., Liberté --> Libert
Comment 11 Rich Megginson 2011-02-11 17:37:17 EST
Comment on attachment 478306 [details]
389-admin-console: git patch file (master)

I think the console is doing the right thing - it should be url encoding/escaping possibly dangerous characters - I think mod_admserv should be unescaping the password
Comment 12 Noriko Hosoi 2011-02-11 17:52:16 EST
Hmmm, then the password input on the DS Console's Edit Entry should be escaped, as well?
Comment 13 Noriko Hosoi 2011-02-11 18:07:41 EST
Never mind...  DS sends the password in LDAP not via HTTP.  So, it won't break the protocol.
Comment 14 Noriko Hosoi 2011-02-11 18:39:52 EST
Created attachment 478329 [details]
AS: git patch file (master)

Thanks to Rich for his comments.  I cancelled the 389-admin-console patch.

Description: When the Admin User password is changed on the Admin
Console, the console escapes the password then sends it to the
Admin Server.  This patch adds the apache API ap_unescape_url to
mod_admserv to unescape the password before handling it.
Comment 15 Rich Megginson 2011-02-11 20:49:25 EST
Comment on attachment 478329 [details]
AS: git patch file (master)

ap_unescape_url() will do the unescape in place - is that safe to do?  This is the r->args pointer from the request_rec* passed in to the function.  It may be safe to rewrite that memory - I just don't know.
Comment 16 Noriko Hosoi 2011-02-12 21:49:58 EST
Created attachment 478422 [details]
AS: git patch file (master)

Thanks to Rich for his comments.  Instead of doing the in-place escape, changed to duplicate the given password and work on the copy.

Description: When the Admin User password is changed on the Admin
Console, the console escapes the password then sends it to the
Admin Server.  This patch adds the apache API ap_unescape_url to
mod_admserv to unescape the password before handling it.  Since
ap_unescape_url does the unescape in place, it duplicates the
given password and escapes on the duplicated memory.
Comment 17 Noriko Hosoi 2011-02-14 12:25:32 EST
Thanks to Rich and Nathan for their comments and reviews.

Pushed to master.

$ git merge 245278
Updating 2f738ad..0f07440
Fast-forward
 mod_admserv/mod_admserv.c |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)
$ git push
Counting objects: 7, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 847 bytes, done.
Total 4 (delta 3), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   2f738ad..0f07440  master -> master
Comment 18 Amita Sharma 2011-06-23 07:06:32 EDT
Tested As :
1. Login to Directory Management Console
2. Change admin password to pass'word
3. Try to login again to Directory Manangement Console


Console gives error saying user/password is incorrect.


And the also the password in the Access Logs is : pass%27word
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:00 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:01 +0530] "POST /admin-serv/tasks/Configuration/ServerSetup HTTP/1.0" 200 251
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:03 +0530] "POST /admin-serv/tasks/Configuration/AccessSetup HTTP/1.0" 200 17
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:14 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:17 +0530] "POST /admin-serv/tasks/Configuration/AccessSetup HTTP/1.0" 200 14
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:17 +0530] "GET /admin-serv/commands/change-sie-password?pass%27word HTTP/1.0" 200 -
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:29 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:18:44 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:19:00 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19
10.65.193.133 - cn=Directory Manager [23/Jun/2011:16:19:15 +0530] "GET /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19

More over in case I set the password like test123, even that password is not accepted meaning It is like It is not changing the password .. same as I opened a new bug - https://bugzilla.redhat.com/show_bug.cgi?id=715507 ??
Comment 19 Amita Sharma 2011-06-23 07:13:52 EDT
[root@amsharma admin-serv]# rpm -qa | grep 389
389-admin-console-doc-1.1.7-1.el6.noarch
389-admin-console-1.1.7-1.el6.noarch
389-ds-console-1.2.5-1.el6.noarch
389-ds-1.2.1-2.el6.noarch
389-adminutil-1.1.13-1.el6.x86_64
389-ds-base-devel-1.2.8.4-2.el6.x86_64
389-ds-base-libs-1.2.8.4-2.el6.x86_64
389-console-1.1.4-1.el6.noarch
389-admin-1.1.16-2.el6.x86_64
389-ds-console-doc-1.2.5-1.el6.noarch
389-ds-base-1.2.8.4-2.el6.x86_64
Comment 20 Noriko Hosoi 2011-07-11 13:23:50 EDT
I have no problem to change the admin password to pass'word.  Single quote is internally escaped and converted to %27, which is fine.

[11/Jul/2011:10:07:14 -0700] "GET /admin-serv/commands/change-sie-password?pass%27word HTTP/1.0" 200 -

My system is on F15 and ahead of yours, but I don't think there are any differences in the area...

What I did is identical to your test case.
1. Login Console; open Admin Console
2. On Configuration | Access tab, changed password (PASS'WORD); click Save
3. Exit Console
4. Restart Console; type PASS'WORD in the login panel.

[11/Jul/2011:10:19:28 -0700] "GET /admin-serv/commands/change-sie-password?PASS%27WORD HTTP/1.0" 200 -
Comment 21 Amita Sharma 2011-07-12 03:01:30 EDT
ok, done..
Marking as VERIFIED.
Comment 22 Rich Megginson 2014-06-16 09:39:28 EDT
should be marked CLOSED

Note You need to log in before you can comment on or make changes to this bug.