[rt-users] Wide character in crypt generates stack trace with password revealed

2010-04-20 Thread Martin Drasar 
Hi everyone,
when logging into RT having czech keyboard accidentaly set, wide
characters may be accidentally supplied to the password routine. (Czech
keyboard have letters with wedges in the same row as numbers).
This causes error shown in attached page, revealing password to
bystanders as well as needlessly showing RT path.

I am providing a quick patch that catches the exception generated by
crypt and makes RT behave like ordinary bad password was provided.

Martin

-- 
Mgr. Martin Drasar   dra...@ics.muni.cz
Network Security Department http://ics.muni.cz/
CSIRT-MU   http://www.muni.cz/csirt
Institute of Computer Science, Masaryk University, Brno, Czech Republic
   PGP Key ID: 0x944BC925





System error

 
  error:
  Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.
 
 
  context:
  
   


 ...
 



 1033:
 return(1);



 1034:
 }



 1035:
 



 1036:
 #  if it's a historical password we say ok.



 1037:
 if ($self-__Value('Password') eq crypt($value, $self-__Value('Password'))



 1038:
 or $self-_GeneratePasswordBase64($value) eq $self-__Value('Password'))



 1039:
 {



 1040:
 # ...but upgrade the legacy password inplace.



 1041:
 $self-SUPER::SetPassword( $self-_GeneratePassword($value) );



 ...
 



   
  
 
 
  code stack:
  
/home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm:1037
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:423
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:208
/home/RT/RT-3.8.7/share/html/autohandler:53
  
 


raw error



































Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.


Trace begun at /usr/share/perl5/HTML/Mason/Exceptions.pm line 129
HTML::Mason::Exceptions::rethrow_exception('Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.^J') called at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037
RT::User::IsPassword('RT::CurrentUser=HASH(0x104466a0)', 'ěščřžM-}M-aM-m') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 423
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 208
RT::Interface::Web::HandleRequest('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/share/html/autohandler line 53
HTML::Mason::Commands::__ANON__('pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x105a11f8)', 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 1273
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 1268
HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 419
HTML::Mason::Request::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 165
HTML::Mason::Request::ApacheHandler::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 831
HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=HASH(0x104462f0)', 'Apache2::RequestRec=SCALAR(0x113c1290)') called at /home/RT/RT-3.8.7/bin/webmux.pl line 166
eval {...} at /home/RT/RT-3.8.7/bin/webmux.pl line 166
RT::Mason::handler('Apache2::RequestRec=SCALAR(0x113c1290)') called at -e line 0
eval {...} at -e line 0



--- User_Overlay.pm.bak 2010-04-20 11:45:52.0 +0200
+++ User_Overlay.pm 2010-04-20 11:54:19.0 +0200
@@ -1034,12 +1034,19 @@
 }
 
 #  if it's a historical password we say ok.
-if ($self-__Value('Password') eq crypt($value, $self-__Value('Password'))
-or $self-_GeneratePasswordBase64($value) eq 
$self-__Value('Password'))
+eval
 {
-# ...but upgrade the legacy password inplace.
-$self-SUPER::SetPassword( $self-_GeneratePassword($value) );
-return(1);
+  if ($self-__Value('Password') eq crypt($value, 
$self-__Value('Password'))
+  or $self-_GeneratePasswordBase64($value) eq 
$self-__Value('Password'))
+  {
+  # ...but upgrade the legacy password inplace.
+  $self-SUPER::SetPassword( $self-_GeneratePassword($value) );
+  return(1);
+  }
+};
+if ($@) {
+  $RT::Logger-info(Caught

Re: [rt-users] Wide character in crypt generates stack trace with password revealed

2010-04-20 Thread Ruslan Zakirov 
Hello Martin,

1) There is warning in the config regarding using stack traces and how
it can reveal secure information.
2) This particular problem has been solved in RT 3.8.8 RC2.

2010/4/20 Martin Drasar dra...@ics.muni.cz:
 Hi everyone,
 when logging into RT having czech keyboard accidentaly set, wide
 characters may be accidentally supplied to the password routine. (Czech
 keyboard have letters with wedges in the same row as numbers).
 This causes error shown in attached page, revealing password to
 bystanders as well as needlessly showing RT path.

 I am providing a quick patch that catches the exception generated by
 crypt and makes RT behave like ordinary bad password was provided.

 Martin

 --
 Mgr. Martin Drasar                                   dra...@ics.muni.cz
 Network Security Department                         http://ics.muni.cz/
 CSIRT-MU                                       http://www.muni.cz/csirt
 Institute of Computer Science, Masaryk University, Brno, Czech Republic
                       PGP Key ID: 0x944BC925


 Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
 Buy a copy at http://rtbook.bestpractical.com




-- 
Best regards, Ruslan.

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com