Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trying to login with incorrect password leads to an empty page #420

Closed
Bubu opened this issue Jan 13, 2021 · 7 comments
Closed

trying to login with incorrect password leads to an empty page #420

Bubu opened this issue Jan 13, 2021 · 7 comments

Comments

@Bubu
Copy link

Bubu commented Jan 13, 2021
edited
Loading

When trying to login with an empty password an internal error is thrown and logged but the users just lands on an empty page:

2021/01/13 22:09:03 [error] 239807#239807: *1229240 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: reverse password verification check failed: Password mismatch
, password:  PHP message: PHP Fatal error:  Uncaught Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1050
Stack trace:
#0 /usr/share/webapps/postfixadmin/functions.inc.php(1247): _pacrypt_dovecot()
#1 /usr/share/webapps/postfixadmin/model/Login.php(32): pacrypt()
#2 /usr/share/webapps/postfixadmin/public/users/login.php(54): Login->login()
#3 {main}

dovecot version: 2.3.13
postfixadmin: 3.3.1

Logging in with the correct passwords still works.
@DavidGoodwin
Copy link
Member

Thanks for the bug report -> it's an issue with dovecot getting an empty password and how we deal with that.

Is there anything else in the error_log?

@Bubu
Copy link
Author

Bubu commented Jan 13, 2021
edited
Loading

it's an issue with dovecot getting an empty password and how we deal with that.

Not sure if that's what you mean, but that wasn't me trying to login with an empty password.

Is there anything else in the error_log?

/run/postfixadmin/postfixadmin.sock:", host: "XXXX", referrer: "XXXXXX"
2021/01/13 22:28:23 [error] 239807#239807: *1233702 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: reverse password verification check failed: Password mismatch
, password:  PHP message: PHP Fatal error:  Uncaught Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1050
Stack trace:
#0 /usr/share/webapps/postfixadmin/functions.inc.php(1247): _pacrypt_dovecot()
#1 /usr/share/webapps/postfixadmin/model/Login.php(32): pacrypt()
#2 /usr/share/webapps/postfixadmin/public/login.php(63): Login->login()
#3 {main}
  thrown in /usr/share/webapps/postfixadmin/functions.inc.php on line 1050" while reading response header from upstream, client: YYYYYYY, server: XXXXXXXXX, request: "POST /login.php HTTP/2.0", upstream: "fastcgi://unix:/run/postfixadmin/postfixadmin.sock:", host: "XXXXXXXXX", referrer: "XXXXXX"
2021/01/13 22:28:35 [error] 239807#239807: *1233702 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: domain_selected in /var/cache/postfixadmin/templates_c/0243e4ad2208bd43d930ccf724b26ff527b2775d_0.file.list.tpl.php on line 277PHP message: PHP Notice:  Trying to get property 'value' of non-object in /var/cache/postfixadmin/templates_c/0243e4ad2208bd43d930ccf724b26ff527b2775d_0.file.list.tpl.php on line 277" while reading response header from upstream, client: 5.28.112.27, server: XXXXXXXXXX, request: "GET /list.php?table=admin HTTP/2.0", upstream: "fastcgi://unix:/run/postfixadmin/postfixadmin.sock:", host: "XXXXXXXXX", referrer: "XXXXXX"

This is the tail of the log. Before that it repeats the password error a bunch of times because I tried multiple times.

DavidGoodwin added a commit that referenced this issue Jan 13, 2021
@DavidGoodwin
wrap pacrypt() call with a try/catch to log/handle issues where an ex…
72ded84 
…ception is thrown - see #420
@DavidGoodwin
Copy link
Member

See also 5827a12 - which should require the password is not empty.

@DavidGoodwin
Copy link
Member

DavidGoodwin commented Jan 13, 2021
edited
Loading

Do either of those fix things for you? Thanks for the quick response.

@Bubu
Copy link
Author

Bubu commented Jan 13, 2021
edited
Loading

72ded84 partly fixes this. Some observations:

  • When entering a nonexisting username I get the following error and still a white page:
2021/01/14 00:29:55 [error] 309554#309554: *1263845 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: Missing {scheme} prefix from hash
, password:  PHP message: PHP Fatal error:  Uncaught Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1050
Stack trace:
#0 /usr/share/webapps/postfixadmin/functions.inc.php(1247): _pacrypt_dovecot()
#1 /usr/share/webapps/postfixadmin/model/Login.php(43): pacrypt()
#2 /usr/share/webapps/postfixadmin/public/login.php(63): Login->login()
#3 {main}
  • When entering a valid user but a wrong password on login.php (admin interface) I get a message saying that the login didn't work. This is fine.
  • When doing the same on users/login.php it brings you back to the login page but without any error message that the login failed for $reason.

error log for the last case:

2021/01/14 00:32:53 [error] 309554#309554: *1263845 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: reverse password verification check failed: Password mismatch
, password:  PHP message: Error while trying to call pacrypt()PHP message: Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1050
Stack trace:
#0 /usr/share/webapps/postfixadmin/functions.inc.php(1247): _pacrypt_dovecot()
#1 /usr/share/webapps/postfixadmin/model/Login.php(33): pacrypt()
#2 /usr/share/webapps/postfixadmin/public/users/login.php(54): Login->login()

@DavidGoodwin
Copy link
Member

72ded84 partly fixes this. Some observations:

  • When entering a nonexisting username I get the following error and still a white page:
2021/01/14 00:29:55 [error] 309554#309554: *1263845 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: Missing {scheme} prefix from hash
, password:  PHP message: PHP Fatal error:  Uncaught Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1050
Stack trace:
#0 /usr/share/webapps/postfixadmin/functions.inc.php(1247): _pacrypt_dovecot()
#1 /usr/share/webapps/postfixadmin/model/Login.php(43): pacrypt()
#2 /usr/share/webapps/postfixadmin/public/login.php(63): Login->login()
#3 {main}

OK. That's from calling "pacrypt('abc', 'def')" which happens in an attempt to try and make all login branches take a similar time to make it harder for an attacker to evaluate whether accounts exist on the system or not.

8b1adbc might fix this.

  • When entering a valid user but a wrong password on login.php (admin interface) I get a message saying that the login didn't work. This is fine.
  • When doing the same on users/login.php it brings you back to the login page but without any error message that the login failed for $reason.

Hm, that'll be because we destroy the session, so whatever flash_error stored was lost. Should be fixed with 24eb45b

DavidGoodwin added a commit that referenced this issue Jan 14, 2021
@DavidGoodwin
more Login pacrypt() exception handling - see #420
8b1adbc
DavidGoodwin added a commit that referenced this issue Jan 14, 2021
@DavidGoodwin
do not lose login error for users/ - see #420
24eb45b
DavidGoodwin added a commit that referenced this issue Jan 14, 2021
@DavidGoodwin
wrap pacrypt() call with a try/catch to log/handle issues where an ex…
30e3132 
…ception is thrown - see #420
DavidGoodwin added a commit that referenced this issue Jan 14, 2021
@DavidGoodwin
more Login pacrypt() exception handling - see #420
85960b7
DavidGoodwin added a commit that referenced this issue Jan 14, 2021
@DavidGoodwin
do not lose login error for users/ - see #420
61585e8
@DavidGoodwin
Copy link
Member

I believe this is fixed with 3.3.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bubu @DavidGoodwin