Password Issue

[bambenek]

I have a user trying to reset his password, my settings are default (12 characters and /((?=.\d)|(?=.\W+))(?![\n])(?=.[A-Z])(?=.[a-z]).*$/).

He is trying to set this and it doesn't work saying not matching complexity requirements:
mSW%vuc@ot85>?

and

aA9!$!@#$@#aeuc<.a

Related, I can't set a specific password for users as admin because it asks me to enter existing password. As admin I should be able to specify a password, right?

If you would like to report a bug, please fill the template bellow

Work environment

Questions	Answers
Type of issue	Bug
OS version (server)	ubuntu
OS version (client)	XP, Seven, 10, Ubuntu, ...
PHP version	5.4, 5.5, 5.6, 7.0, 7.1...
MISP version / git hash	2.4.78
Browser	If applicable

Expected behavior

Actual behavior

Steps to reproduce the behavior

Logs, screenshots, configuration dump, ...

[iglocska]

Weird, will test the password complexity issue. As for the existing password, as an admin you have to enter your password, not that of the user :)

…

On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek ***@***.***> wrote: I have a user trying to reset his password, my settings are default (12 characters and /((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$/). He is trying to set this and it doesn't work saying not matching complexity requirements: ***@***.***>? and aA9!$!@#$@#aeuc<.a Related, I can't set a specific password for users as admin because it asks me to enter existing password. As admin I should be able to specify a password, right? *If you would like to report a bug, please fill the template bellow* Work environment Questions Answers Type of issue Bug OS version (server) ubuntu OS version (client) XP, Seven, 10, Ubuntu, ... PHP version 5.4, 5.5, 5.6, 7.0, 7.1... MISP version / git hash 2.4.78 Browser If applicable Expected behavior Actual behavior Steps to reproduce the behavior Logs, screenshots, configuration dump, ... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2394>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ-> .

[bambenek]

Ahh, ok re: entering my password

…

-- John Bambenek

On Aug 12, 2017, at 00:13, Andras Iklody ***@***.***> wrote: Weird, will test the password complexity issue. As for the existing password, as an admin you have to enter your password, not that of the user :) On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek ***@***.***> wrote: > I have a user trying to reset his password, my settings are default (12 > characters and /((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$/). > > He is trying to set this and it doesn't work saying not matching > complexity requirements: > ***@***.***>? > > and > > aA9!$!@#$@#aeuc<.a > > Related, I can't set a specific password for users as admin because it > asks me to enter existing password. As admin I should be able to specify a > password, right? > > *If you would like to report a bug, please fill the template bellow* > Work environment > Questions Answers > Type of issue Bug > OS version (server) ubuntu > OS version (client) XP, Seven, 10, Ubuntu, ... > PHP version 5.4, 5.5, 5.6, 7.0, 7.1... > MISP version / git hash 2.4.78 > Browser If applicable Expected behavior Actual behavior Steps to > reproduce the behavior Logs, screenshots, configuration dump, ... > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#2394>, or mute the thread > <https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ-> > . > — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[iglocska]

Weird, just tried the password above in my dev instance with default complexity settings and it seems to work fine...

[bambenek]

I'm pretty sure I didn't change my settings... can you send me the defaults so I can restore those on my box?

…

On 8/13/2017 5:38 PM, Andras Iklody wrote: Weird, just tried the password above in my dev instance with default complexity settings and it seems to work fine... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YX8wT_C3NPFmUhFpDmt8FaY1M-lXAks5sX3rjgaJpZM4O1LZ->.

-- -- John Bambenek

[RichieB2B]

We are experiencing the same issue after we upgraded MISP to 2.4.78 (from 2.4.75). I think the problem is with the Blowfish patch 3317f56 Even through it contains a verifyPassword() that looks decent it is not always used:

2017-08-16 10:10:01 Warning: Warning (512): Invalid salt: {40xHEX} for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/Security.php, line 323]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
Security::_crypt() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 323
Security::hash() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 115
BlowfishPasswordHasher::check() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BlowfishPasswordHasher.php, line 45
BaseAuthenticate::_findUser() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BaseAuthenticate.php, line 138
FormAuthenticate::authenticate() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/FormAuthenticate.php, line 79
AuthComponent::identify() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 771
AuthComponent::login() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 611
UsersController::login() - APP/Controller/UsersController.php, line 769
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 491
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 92

[iglocska]

That shouldn't be used for the validation issue he gets so it's strange. The password complexity is checked against the raw input, not the hash.

…

On Wed, Aug 16, 2017 at 1:25 PM, Richie B2B ***@***.***> wrote: We are experiencing the same issue after we upgraded MISP to 2.4.78 (from 2.4.75). I think the problem is with the Blowfish patch 3317f56 <3317f56> Even through it contains a verifyPassword() that looks decent it is not always used: 2017-08-16 10:10:01 Warning: Warning (512): Invalid salt: {40xHEX} for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/Security.php, line 323] Trace: ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230 Security::_crypt() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 323 Security::hash() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 115 BlowfishPasswordHasher::check() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BlowfishPasswordHasher.php, line 45 BaseAuthenticate::_findUser() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BaseAuthenticate.php, line 138 FormAuthenticate::authenticate() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/FormAuthenticate.php, line 79 AuthComponent::identify() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 771 AuthComponent::login() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 611 UsersController::login() - APP/Controller/UsersController.php, line 769 ReflectionMethod::invokeArgs() - [internal], line ?? Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 491 Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193 Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167 [main] - APP/webroot/index.php, line 92 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADf6wHa5zj18QMPf4TytEbCZyhW41e_gks5sYtHHgaJpZM4O1LZ-> .

[RichieB2B]

It seems that #2401 was unrelated to this issue after all. We are still experiencing this issue after #2401 was fixed.

[iglocska]

Interesting, so you have it too?

…

On Thu, Aug 17, 2017 at 11:27 AM, Richie B2B ***@***.***> wrote: It seems that #2401 <#2401> was unrelated to this issue after all. We are still experiencing this issue after #2401 <#2401> was fixed. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADf6wFgCvuWrP93uvZJ85h3lNrV9xS9Jks5sZAdmgaJpZM4O1LZ-> .

[RichieB2B]

A user is complaining about it but I cannot reproduce it. Will troubleshoot some more..

[iglocska]

Interesting. Just tried it with a read only user too (with the default settings accepted / empty) but same thing. Not sure what's up. Can you ask the user to paste what the flash message says on top after it fails?

[RichieB2B]

The user is hitting /users/change_pw because I reset his password (so the change_pw field is set). He is getting this message:

The password could not be updated. Make sure you meet the minimum password length / complexity requirements.

This is from https://github.com/MISP/MISP/blob/2.4/app/Controller/UsersController.php#L158

[RichieB2B]

Reading $this->User->validationErrors after the $this->User->save($user) reveals the problem:

Array
(
    [newsread] => Array
        (
            [0] => boolean
        )

)

CakePHP is expecting a boolean where the users table is filled with epoch timestamps in this column. How did that happen?

[iglocska]

Interesting. OK, didn't realise it was the change_pw function, I kept using the user edit to change it. Looking into it. I might be a bit slow with it though, stuck in a literal 2 day conf call.

[iglocska]

Reproduced, fix incoming.

[iglocska]

Well I have no clue how that happened. Even more so how the newsread field worked in the first place o.O

[RichieB2B]

I've created #2405 so we can use change_pw more. :-)

[bambenek]

FYI, I'm still having the password reset issue on my MISP instance after pulling from master for latest code.

[iglocska]

Which part? The regex failing?

[bambenek]

Yes, says passwords cannot be updated, fails to meet min complexity requirements.

…

On 8/24/2017 1:47 AM, Andras Iklody wrote: Which part? The regex failing? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YXwPharRj3RNtvT5DUOfok6Itua_Eks5sbRyZgaJpZM4O1LZ->.

-- -- John Bambenek

[iglocska]

Could you paste the commit ID you're on? Is it the latest? Do you have the silly

Security.require_password_confirmation

setting enabled?

[bambenek]

I just did a pull so should be latest. 6eb...8aa That setting is false on my instance.

…

On 8/24/2017 4:16 PM, Andras Iklody wrote: Could you paste the commit ID you're on? Is it the latest? Do you have the silly |Security.require_password_confirmation| setting enabled? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YX0FCYvfZOtpvDh0CpvMwQox7W2Bnks5sbeghgaJpZM4O1LZ->.

-- -- John Bambenek

[RichieB2B]

Check your newsread column in the users MySQL table. If it contains a timestamp you have the same issue I did.

[bambenek]

Have a bunch of timestamps in there, what's the specific issue?

…

On 8/24/2017 4:32 PM, Richie B2B wrote: Check your newsread column in the users MySQL table. If it contains a timestamp you have the same issue I did. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YX9v7DzLY7ownPUWkzoADASiEYX9Tks5sbev6gaJpZM4O1LZ->.

-- -- John Bambenek

[iglocska]

Wait, newsread is supposed to contain a timestamp...

[bambenek]

Many are NULL in my case, but quite a few timestamps in there, and one odd 0 value.

…

On 8/24/2017 4:39 PM, Andras Iklody wrote: Wait, newsread is supposed to contain a timestamp... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YX06TTJJ2O_LbALu5mGeG7rpvcPlaks5sbe2bgaJpZM4O1LZ->.

-- -- John Bambenek

[iglocska]

Null is weird. Default should be 0, could be a carry-over from old versions, maybe that's indeed the culprit.

Basically the way it works: If user's newsread < timestamp of the last news item, redirect the user to the news section (which updates the user's newsread to the current timestamp). Null might cause issues. Could you try to run:

Update users set newsread = 0 where newsread is NULL;

and see if it fixes it?

[RichieB2B]

Set your newsread to 0 and try to change your password. CakePHP somehow thinks it should be a Boolean value and refuses to save the data if it isn't.

[iglocska]

Not boolean, but an integer. The validation checks for numeric values, the null must be a carry over from an older version.

[iglocska]

Just pushed a possible quick fix.

[iglocska]

Time to hit the sack, will check back in the morning.

[bambenek]

I both updated mysql and did another pull, verified it works now. Thanks!

[RichieB2B]

14d5b04 will prevent NULL values in newsread to become a problem, but you are missing the real issue. In the datamodel newsread is defined as boolean yet timestamps are stored in it. This causes the save() function to fail the data model verification.

I'll do a one liner PR again. :)

[iglocska]

That is just the name of the verification (which is indeed incorrect), the actual rule used is numeric so it shouldn't make a difference ;)

However, good idea to fix the name!

[RichieB2B]

Then I am totally lost. A user with this problem had a timestamp as newsread. He was unable to change his password. Troubleshooting revealed the failed verification. I set his newsread to 0 and the problem was gone.

[iglocska]

The validation was fixed like a week ago, was this before or after?

[RichieB2B]

This was last Friday..

[iglocska]

Hmph. Could you reproduce it now?

[RichieB2B]

Hmph. Nope, even with a timestamp as newsread it now works fine.

[iglocska]

Good ;)

[RichieB2B]

Ah, now I see: I must have been running without the fix in e0de52a last Friday. I suppose this issue is now dead and buried. ;-)

[iglocska]

That's how all issues should be, dead and buried that is! :)))

[bambenek]

FLAWLESS VICTORY

…

On 8/25/2017 3:52 AM, Andras Iklody wrote: That's how all issues should be, dead and buried that is! :))) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2394 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YX5eisX4vf1syEe_SQMxMQXMz6oK5ks5sbotLgaJpZM4O1LZ->.

-- -- John Bambenek

[gecko97]

Hi there,
I am having the same issue when n user tries to set a new password from the GUI.

Currently installed version… v2.4.88
Ubuntu 16.04

The password could not be updated. Make sure you meet the minimum password length / complexity requirements.

despite I am indeed setting a complex password as required, and the mentioned fix (e0de52a) is in place.
I have no errors details in error.log.

What I have noticed is when I hover the mouse on the Password information icon ("i") nothing appears, It looks like the javascript PasswordPopover is not being loaded.

Any ideas?
Thanks

[uberbigun]

Same issue with MISP on Ubuntu 16.04 and the server built from scratch today