[rt-users] Wide character in crypt generates stack trace with password revealed

Tue, 20 Apr 2010 03:09:36 -0700 

Hi everyone,
when logging into RT having czech keyboard accidentaly set, wide
characters may be accidentally supplied to the password routine. (Czech
keyboard have letters with wedges in the same row as numbers).
This causes error shown in attached page, revealing password to
bystanders as well as needlessly showing RT path.

I am providing a quick patch that catches the exception generated by
crypt and makes RT behave like ordinary bad password was provided.

Martin

-- 
Mgr. Martin Drasar                                   [email protected]
Network Security Department                         http://ics.muni.cz/
CSIRT-MU                                       http://www.muni.cz/csirt
Institute of Computer Science, Masaryk University, Brno, Czech Republic
                       PGP Key ID: 0x944BC925

System error

error:  Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.
context: 
... 
1033:  return(1);
1034:  }
1035: 
1036:  # if it's a historical password we say ok.
1037:  if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))
1038:  or $self->_GeneratePasswordBase64($value) eq $self->__Value('Password'))
1039:  {
1040:  # ...but upgrade the legacy password inplace.
1041:  $self->SUPER::SetPassword( $self->_GeneratePassword($value) );
... 
code stack:  /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm:1037
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:423
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:208
/home/RT/RT-3.8.7/share/html/autohandler:53
raw error






























Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.


Trace begun at /usr/share/perl5/HTML/Mason/Exceptions.pm line 129
HTML::Mason::Exceptions::rethrow_exception('Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.^J') called at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037
RT::User::IsPassword('RT::CurrentUser=HASH(0x104466a0)', 'ěščřžM-}M-aM-m') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 423
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 208
RT::Interface::Web::HandleRequest('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/share/html/autohandler line 53
HTML::Mason::Commands::__ANON__('pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x105a11f8)', 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 1273
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 1268
HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 419
HTML::Mason::Request::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 165
HTML::Mason::Request::ApacheHandler::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 831
HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=HASH(0x104462f0)', 'Apache2::RequestRec=SCALAR(0x113c1290)') called at /home/RT/RT-3.8.7/bin/webmux.pl line 166
eval {...} at /home/RT/RT-3.8.7/bin/webmux.pl line 166
RT::Mason::handler('Apache2::RequestRec=SCALAR(0x113c1290)') called at -e line 0
eval {...} at -e line 0

--- User_Overlay.pm.bak 2010-04-20 11:45:52.000000000 +0200
+++ User_Overlay.pm     2010-04-20 11:54:19.000000000 +0200
@@ -1034,12 +1034,19 @@
     }
 
     #  if it's a historical password we say ok.
-    if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))
-        or $self->_GeneratePasswordBase64($value) eq 
$self->__Value('Password'))
+    eval
     {
-        # ...but upgrade the legacy password inplace.
-        $self->SUPER::SetPassword( $self->_GeneratePassword($value) );
-        return(1);
+      if ($self->__Value('Password') eq crypt($value, 
$self->__Value('Password'))
+          or $self->_GeneratePasswordBase64($value) eq 
$self->__Value('Password'))
+      {
+          # ...but upgrade the legacy password inplace.
+          $self->SUPER::SetPassword( $self->_GeneratePassword($value) );
+          return(1);
+      }
+    };
+    if ($@) {
+      $RT::Logger->info("Caught exception: $@");
+      return(undef);
     }
 
     # no password check has succeeded. get out

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Reply via email to