Meshcentral: PasswordRequirements : Some nonalpha characters appear to count as nonalpha and numeric characters

Created on 30 Apr 2020  路  2Comments  路  Source: Ylianst/MeshCentral

Problem Description:

When creating a password for an account, some special characters ( / ? # @ ` ; \ ) count as numeric and nonalpha.

Environment

Server OS: Ubuntu 18.04.2 LTS
MeshCentral Version: v0.5.12
MeshCentral Configuration

{
  "settings": {
    "Port": 443,
    "RedirPort": 80,
    "AllowFraming": true,
    "AllowLoginToken": true,
    "WANonly": true,
    "MongoDb": "mongodb://USERNAME:[email protected]:27017/meshcentral"
},
  "domains": {
    "": {
      "Title": "MyServer",
      "Title2": "Servername",
      "UserQuota": 1048576,
      "MeshQuota": 248576,
      "NewAccounts": true,
      "Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>"
    },
   "domaintest": {
      "Title": "Test Company2",
      "UserQuota": 1048576,
      "MeshQuota": 248576,
      "PasswordRequirements": {
        "min": 8,
        "max": 128,
        "upper": 1,
        "lower": 1,
        "numeric": 1,
        "nonalpha": 1,
        "reset": 90,
        "force2factor": true
      }
    },
  }
}

Testing

1) Configure the domain with password requirements

     "PasswordRequirements": {
        "min": 8,
        "max": 128,
        "upper": 1,
        "lower": 1,
        "numeric": 1,
        "nonalpha": 1,
        "reset": 90,
        "force2factor": true
      }

2) Restart MeshCentral
3) Login to the webGUI
4) Create a new account
5) Observe that under the password options you see 

Requirements: min:8, max:128, upper:1, lower:1, numeric:1, nonalpha:1

6) Create any of the following passwords 

Abcdefg/
Abcdefg?
Abcdefg#
Abcdefg@
Abcdefg`
Abcdefg;
Abcdefg\

7) Observe that the "OK" button is lit

Fixed - Confirm & Close bug
Source
picture darryl-h
👍1

All 2 comments

Nice catch and once again, outstanding report. Thank you! Just published MeshCentral v0.5.20 with a fix for this.

Ylianst picture Ylianst on 2 May 2020
👍1

Thanks, I do what I can to try and save you time and headache. :)

Based on the following (new) password policy:

     "PasswordRequirements": {
        "min": 8,
        "max": 128,
        "upper": 2,
        "lower": 2,
        "numeric": 2,
        "nonalpha": 2,
        "reset": 90,
        "force2factor": true
      }

Tested Minimum (7 < 8 chars) ABc11\\
Tested Maximum (129 > 128 chars) AAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa11!!
Tested Uppercase (1 Upper < 2 Upper chars) Abcdef1\
Tested Lowercase (1 Lower < 2 Lower chars) ABCDEf1\
Tested Numeric (1 Numeric < 2 Numeric chars) Abcdef1\
Tested Non-Alpha (1 Non-Alpha < 2 Non-Alpha chars) Abcdef1\

All result in the "OK" button not being lit, as expected.

When setting an appropriate password like ABcd11\\, the "OK" button is lit as expected.

Closing, and thanks again!!!

darryl-h picture darryl-h on 2 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

LPJon picture LPJon  路  3Comments
PathfinderNetworks picture PathfinderNetworks  路  3Comments
veitw picture veitw  路  4Comments
unguzov picture unguzov  路  3Comments
penguinthingie picture penguinthingie  路  4Comments