[courier-users] Re: webmail doesn't like asterisk in password?
At 2/24/02 12:00 PM, marc lindahl wrote: I found a function called badstr() in auth.c - it looks like it's being used to qualify both the username in verifyuid() and username and password in login() and login_changepwd(). This issue came up on the sqwebmail users list a couple of weeks ago. I did some fairly extensive research into it. The badstr() function checks for shell characters in the password in two cases: when the user logs in, and when the user is changing the password. I traced through the code and verified to my own satisfaction that the password can never be passed to the shell in the first case (user login). Therefore, I disabled the badstr() check in that case, and users can now login with their funky passwords. The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there. (In my case, this didn't matter, as I don't allow users to change their passwords via sqwebmail anyway.) This was all on version 3.2; it's theoretically possible things have changed in 3.3.1. Hope this helps. -- Robert L Mathews, Tiger Technologies The trouble with doing something right the first time is that nobody appreciates how difficult it was. ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: webmail doesn't like asterisk in password?
At 2/25/02 2:14 PM, marc lindahl wrote: Strange I did that and it still doesn't work. Here's my change in webmail/auth.c::login: if (badstr(uid)) /* || badstr(pass))*/ return (NULL); I just commented out checking the password only. That's the exact change I made (at line 259) and it solved the problem, so it should work for you. Check that you've recompiled/reinstalled properly. The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there. Good point, potentially, but in reality PAM checks with cracklib, so where's the security hole? Services should be modular and not distributed, right (one of them being qualifying passwords)? I only traced through the code for password checking and verified that the pass variable is never made available to the shell after being run through badstr(), so the check there is (in my opinion) not needed. But during password *changing* (the second badstr call in auth.c), there's a whole different code path I didn't check, and I can only repeat the warning Sam gave me that some modules can potentially make those characters available to the shell. -- Robert L Mathews, Tiger Technologies The trouble with doing something right the first time is that nobody appreciates how difficult it was. ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: webmail doesn't like asterisk in password?
marc lindahl writes: Has anyone used webmail (sqwebmail) with a password with an asterisk (*) in it? I had a test account set up with a * in the password and couldn't sign in with webmail - then I changed the password to have a '.' instead of a '*' and it worked. I can also log into IMAP (or log into a shell) with the '*'-containing password (indicating it's not PAM, etc.). Yes. Certain characters in passwords are prohibited. -- Sam ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: webmail doesn't like asterisk in password?
From: Sam Varshavchik [EMAIL PROTECTED] Yes. Certain characters in passwords are prohibited. I can't find where this is filtered in the code - can you point me to it? I don't mind patching it. I'm migrating my mail system and I'm sure some users have used * and other characters that are accepted by PAM. ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: webmail doesn't like asterisk in password?
Anand Buddhdev writes: On Sun, Feb 24, 2002 at 04:46:16PM -0500, Sam Varshavchik wrote: Has anyone used webmail (sqwebmail) with a password with an asterisk (*) in it? I had a test account set up with a * in the password and couldn't sign in with webmail - then I changed the password to have a '.' instead of a '*' and it worked. I can also log into IMAP (or log into a shell) with the '*'-containing password (indicating it's not PAM, etc.). Yes. Certain characters in passwords are prohibited. I fail to understand. What's wrong with a '*' in a password? This Shell metacharacters are prohibited. I am not yet comfortable with letting metacharacters through to expect. -- Sam ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: webmail doesn't like asterisk in password?
On Sun, 24 Feb 2002, Sam Varshavchik wrote: Shell metacharacters are prohibited. I am not yet comfortable with letting metacharacters through to expect. I'm with Sam on this one. L33t h4X0R usernames like $*%\\\/// can lead to unexpected results, if you get my drift. -- Juha Take off every sig! ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: webmail doesn't like asterisk in password?
On Sun, Feb 24, 2002 at 05:45:00PM -0500, Sam Varshavchik wrote: I fail to understand. What's wrong with a '*' in a password? This Shell metacharacters are prohibited. I am not yet comfortable with letting metacharacters through to expect. Ok. That's a valid point. But it does cause confusion for users, since '*' is a fairly common character used in passwords. And this prohibition is not even mentioned in the webmail documentation, is it? -- Anand Buddhdev ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: webmail doesn't like asterisk in password?
From: Sam Varshavchik [EMAIL PROTECTED] Date: Sun, 24 Feb 2002 16:46:16 -0500 To: [EMAIL PROTECTED] Subject: [courier-users] Re: webmail doesn't like asterisk in password? marc lindahl writes: Has anyone used webmail (sqwebmail) with a password with an asterisk (*) in it? I had a test account set up with a * in the password and couldn't sign in with webmail - then I changed the password to have a '.' instead of a '*' and it worked. I can also log into IMAP (or log into a shell) with the '*'-containing password (indicating it's not PAM, etc.). Yes. Certain characters in passwords are prohibited. I found a function called badstr() in auth.c - it looks like it's being used to qualify both the username in verifyuid() and username and password in login() and login_changepwd(). My questions is: Are there other places in other files where the password is being checked/filtered? ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users