> From: Robert L Mathews <[EMAIL PROTECTED]>
> Date: Mon, 25 Feb 2002 15:23:34 -0800
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Subject: Re: [courier-users] Re: webmail doesn't like asterisk in password?
>
> At 2/25/02 2:14 PM, marc lindahl wrote:
>
>> Strange.... I did that and it still doesn't work. Here's my change in
>> webmail/auth.c::login:
>>
>> if (badstr(uid)) /* || badstr(pass))*/
>> return (NULL);
>>
>> I just commented out checking the password only.
>
> That's the exact change I made (at line 259) and it solved the problem,
> so it should work for you. Check that you've recompiled/reinstalled
> properly.
>
I have checked thoroughly. After digging around some more (and I do mean
DIGGING, for DAYS), and debugging, I've found there's some weird bug only
with the '*' character in passwords. Did you actually try a password with
that? For some reason, it has the effect (in cgi()) of truncating the
username two characters for each '*' in the password.
> But during password *changing* (the second badstr call in auth.c),
> there's a whole different code path I didn't check, and I can only repeat
> the warning Sam gave me that some modules can potentially make those
> characters available to the shell.
I should point out that distributing the same function (e.g. filtering
passwords) into multiple places in a program is bad practice, regardless of
the security issues. I found no less than four different password filter
code segments - instead of referencing one function.
Also, at least in PAM, password changing is checked pretty well within the
module - where it should be.
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
