On 12/04/11 5:30 PM, Ritter, Nicholas wrote:
I just tested a PCI-related password change for a username that is
authenticated against ActiveDirectory when accessing the PF 2.1.0 web
admin interface. If the password contains a special character (or
specifically in this case an exclamation point), the login fails. The
web interface says (in the top left corner) “Invalid sensitive
parameter”
There's some aggressive validation of the fields in the login form. I
don't really know why they are there.. Overly agressive anti-xss I guess..
For passwords, here's the regexp: /^[\@a-zA-Z0-9_\:\,\(\)]/ so starting
with a ! will pose problem.
Any thoughts/fixes/suggestions?
I simplified the validation. Can you apply the attached patch and let me
know if it works? I haven't tested it since I don't have the proper lab
config right now.
--
Olivier Bilodeau
[email protected] :: +1.514.447.4918 *115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
#
# old_revision [1da8589bbf4abb9ec9d61e3834fd02138a23cc2c]
#
# patch "pf/html/admin/login.php"
# from [b49c4bb30396db34b77174aa942eaf95ba04f23d]
# to [fec32738105d32d6088c4c252465b14b3c3becb4]
#
============================================================
--- pf/html/admin/login.php b49c4bb30396db34b77174aa942eaf95ba04f23d
+++ pf/html/admin/login.php fec32738105d32d6088c4c252465b14b3c3becb4
@@ -38,18 +38,16 @@ function check_input($input){
}
}
-//TODO are we being too difficult on what we accept as a password? ie: pass
starting with ; is invalid
-function check_sensitive_input($input){
- if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]/", $input) && strlen($input) <= 15){
+# rejecting NULLs because they end-up doing an anonymous LDAP bind
+function check_password($input){
+ if (isset($input)) {
return true;
- }
- else{
- print "Invalid sensitive parameter<br>";
+ } else {
+ print "Invalid password<br>";
return false;
}
}
-
// First we try to authenticate users through LDAP if LDAP config file is there
// if the LDAP config file is not defined or if the LDAP auth fails then we
authenticate through the local file
# TODO: have a better integration of admin auth parameters in config files or
admin interface
@@ -216,7 +214,7 @@ else {
}
}
- if (isset($_POST['username'], $_POST['password']) &&
check_input($_POST['username']) && check_sensitive_input($_POST['password'])) {
+ if (isset($_POST['username'], $_POST['password']) &&
check_input($_POST['username']) && check_password($_POST['password'])) {
$hash = validate_user($_POST['username'], $_POST['password']);
if(!$hash || !isset($_COOKIE['test'])){
$failed = true;
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
