-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Issue #2394
Comments
Weird, will test the password complexity issue.
As for the existing password, as an admin you have to enter your password,
not that of the user :)
…On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek ***@***.***> wrote:
I have a user trying to reset his password, my settings are default (12
characters and /((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$/).
He is trying to set this and it doesn't work saying not matching
complexity requirements:
***@***.***>?
and
aA9!$!@#$@#aeuc<.a
Related, I can't set a specific password for users as admin because it
asks me to enter existing password. As admin I should be able to specify a
password, right?
*If you would like to report a bug, please fill the template bellow*
Work environment
Questions Answers
Type of issue Bug
OS version (server) ubuntu
OS version (client) XP, Seven, 10, Ubuntu, ...
PHP version 5.4, 5.5, 5.6, 7.0, 7.1...
MISP version / git hash 2.4.78
Browser If applicable Expected behavior Actual behavior Steps to
reproduce the behavior Logs, screenshots, configuration dump, ...
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2394>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ->
.
|
Ahh, ok re: entering my password
…--
John Bambenek
On Aug 12, 2017, at 00:13, Andras Iklody ***@***.***> wrote:
Weird, will test the password complexity issue.
As for the existing password, as an admin you have to enter your password,
not that of the user :)
On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek ***@***.***>
wrote:
> I have a user trying to reset his password, my settings are default (12
> characters and /((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$/).
>
> He is trying to set this and it doesn't work saying not matching
> complexity requirements:
> ***@***.***>?
>
> and
>
> aA9!$!@#$@#aeuc<.a
>
> Related, I can't set a specific password for users as admin because it
> asks me to enter existing password. As admin I should be able to specify a
> password, right?
>
> *If you would like to report a bug, please fill the template bellow*
> Work environment
> Questions Answers
> Type of issue Bug
> OS version (server) ubuntu
> OS version (client) XP, Seven, 10, Ubuntu, ...
> PHP version 5.4, 5.5, 5.6, 7.0, 7.1...
> MISP version / git hash 2.4.78
> Browser If applicable Expected behavior Actual behavior Steps to
> reproduce the behavior Logs, screenshots, configuration dump, ...
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#2394>, or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ->
> .
>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Weird, just tried the password above in my dev instance with default complexity settings and it seems to work fine... |
I'm pretty sure I didn't change my settings... can you send me the
defaults so I can restore those on my box?
…On 8/13/2017 5:38 PM, Andras Iklody wrote:
Weird, just tried the password above in my dev instance with default
complexity settings and it seems to work fine...
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YX8wT_C3NPFmUhFpDmt8FaY1M-lXAks5sX3rjgaJpZM4O1LZ->.
--
--
John Bambenek
|
We are experiencing the same issue after we upgraded MISP to 2.4.78 (from 2.4.75). I think the problem is with the Blowfish patch 3317f56 Even through it contains a
|
That shouldn't be used for the validation issue he gets so it's strange.
The password complexity is checked against the raw input, not the hash.
…On Wed, Aug 16, 2017 at 1:25 PM, Richie B2B ***@***.***> wrote:
We are experiencing the same issue after we upgraded MISP to 2.4.78 (from
2.4.75). I think the problem is with the Blowfish patch 3317f56
<3317f56>
Even through it contains a verifyPassword() that looks decent it is not
always used:
2017-08-16 10:10:01 Warning: Warning (512): Invalid salt: {40xHEX} for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/Security.php, line 323]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
Security::_crypt() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 323
Security::hash() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 115
BlowfishPasswordHasher::check() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BlowfishPasswordHasher.php, line 45
BaseAuthenticate::_findUser() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BaseAuthenticate.php, line 138
FormAuthenticate::authenticate() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/FormAuthenticate.php, line 79
AuthComponent::identify() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 771
AuthComponent::login() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 611
UsersController::login() - APP/Controller/UsersController.php, line 769
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 491
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 92
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADf6wHa5zj18QMPf4TytEbCZyhW41e_gks5sYtHHgaJpZM4O1LZ->
.
|
Interesting, so you have it too?
…On Thu, Aug 17, 2017 at 11:27 AM, Richie B2B ***@***.***> wrote:
It seems that #2401 <#2401> was
unrelated to this issue after all. We are still experiencing this issue
after #2401 <#2401> was fixed.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADf6wFgCvuWrP93uvZJ85h3lNrV9xS9Jks5sZAdmgaJpZM4O1LZ->
.
|
A user is complaining about it but I cannot reproduce it. Will troubleshoot some more.. |
Interesting. Just tried it with a read only user too (with the default settings accepted / empty) but same thing. Not sure what's up. Can you ask the user to paste what the flash message says on top after it fails? |
The user is hitting /users/change_pw because I reset his password (so the change_pw field is set). He is getting this message:
This is from https://github.com/MISP/MISP/blob/2.4/app/Controller/UsersController.php#L158 |
Reading
CakePHP is expecting a boolean where the users table is filled with epoch timestamps in this column. How did that happen? |
Interesting. OK, didn't realise it was the change_pw function, I kept using the user edit to change it. Looking into it. I might be a bit slow with it though, stuck in a literal 2 day conf call. |
Reproduced, fix incoming. |
Well I have no clue how that happened. Even more so how the newsread field worked in the first place o.O |
I've created #2405 so we can use change_pw more. :-) |
FYI, I'm still having the password reset issue on my MISP instance after pulling from master for latest code. |
Which part? The regex failing? |
Yes, says passwords cannot be updated, fails to meet min complexity
requirements.
…On 8/24/2017 1:47 AM, Andras Iklody wrote:
Which part? The regex failing?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YXwPharRj3RNtvT5DUOfok6Itua_Eks5sbRyZgaJpZM4O1LZ->.
--
--
John Bambenek
|
Could you paste the commit ID you're on? Is it the latest? Do you have the silly
setting enabled? |
I just did a pull so should be latest.
6eb...8aa
That setting is false on my instance.
…On 8/24/2017 4:16 PM, Andras Iklody wrote:
Could you paste the commit ID you're on? Is it the latest? Do you have
the silly
|Security.require_password_confirmation|
setting enabled?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YX0FCYvfZOtpvDh0CpvMwQox7W2Bnks5sbeghgaJpZM4O1LZ->.
--
--
John Bambenek
|
Check your newsread column in the users MySQL table. If it contains a timestamp you have the same issue I did. |
Have a bunch of timestamps in there, what's the specific issue?
…On 8/24/2017 4:32 PM, Richie B2B wrote:
Check your newsread column in the users MySQL table. If it contains a
timestamp you have the same issue I did.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YX9v7DzLY7ownPUWkzoADASiEYX9Tks5sbev6gaJpZM4O1LZ->.
--
--
John Bambenek
|
Wait, newsread is supposed to contain a timestamp... |
Many are NULL in my case, but quite a few timestamps in there, and one
odd 0 value.
…On 8/24/2017 4:39 PM, Andras Iklody wrote:
Wait, newsread is supposed to contain a timestamp...
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YX06TTJJ2O_LbALu5mGeG7rpvcPlaks5sbe2bgaJpZM4O1LZ->.
--
--
John Bambenek
|
Null is weird. Default should be 0, could be a carry-over from old versions, maybe that's indeed the culprit. Basically the way it works: If user's newsread < timestamp of the last news item, redirect the user to the news section (which updates the user's newsread to the current timestamp). Null might cause issues. Could you try to run:
and see if it fixes it? |
Set your newsread to 0 and try to change your password. CakePHP somehow thinks it should be a Boolean value and refuses to save the data if it isn't. |
Not boolean, but an integer. The validation checks for numeric values, the null must be a carry over from an older version. |
Just pushed a possible quick fix. |
Time to hit the sack, will check back in the morning. |
I both updated mysql and did another pull, verified it works now. Thanks! |
14d5b04 will prevent NULL values in newsread to become a problem, but you are missing the real issue. In the datamodel newsread is defined as boolean yet timestamps are stored in it. This causes the save() function to fail the data model verification. I'll do a one liner PR again. :) |
That is just the name of the verification (which is indeed incorrect), the actual rule used is numeric so it shouldn't make a difference ;) However, good idea to fix the name! |
Then I am totally lost. A user with this problem had a timestamp as newsread. He was unable to change his password. Troubleshooting revealed the failed verification. I set his newsread to 0 and the problem was gone. |
The validation was fixed like a week ago, was this before or after? |
This was last Friday.. |
Hmph. Could you reproduce it now? |
Hmph. Nope, even with a timestamp as newsread it now works fine. |
Good ;) |
Ah, now I see: I must have been running without the fix in e0de52a last Friday. I suppose this issue is now dead and buried. ;-) |
That's how all issues should be, dead and buried that is! :))) |
FLAWLESS VICTORY
…On 8/25/2017 3:52 AM, Andras Iklody wrote:
That's how all issues should be, dead and buried that is! :)))
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2394 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YX5eisX4vf1syEe_SQMxMQXMz6oK5ks5sbotLgaJpZM4O1LZ->.
--
--
John Bambenek
|
Hi there, Currently installed version… v2.4.88
despite I am indeed setting a complex password as required, and the mentioned fix (e0de52a) is in place. What I have noticed is when I hover the mouse on the Password information icon ("i") nothing appears, It looks like the javascript PasswordPopover is not being loaded. Any ideas? |
Same issue with MISP on Ubuntu 16.04 and the server built from scratch today |
I have a user trying to reset his password, my settings are default (12 characters and /((?=.\d)|(?=.\W+))(?![\n])(?=.[A-Z])(?=.[a-z]).*$/).
He is trying to set this and it doesn't work saying not matching complexity requirements:
mSW%vuc@ot85>?
and
aA9!$!@#$@#aeuc<.a
Related, I can't set a specific password for users as admin because it asks me to enter existing password. As admin I should be able to specify a password, right?
If you would like to report a bug, please fill the template bellow
Work environment
Expected behavior
Actual behavior
Steps to reproduce the behavior
Logs, screenshots, configuration dump, ...
The text was updated successfully, but these errors were encountered: