Misp: Password Issue

Created on 12 Aug 2017  Â·  44Comments  Â·  Source: MISP/MISP

I have a user trying to reset his password, my settings are default (12 characters and /((?=.\d)|(?=.\W+))(?![\n])(?=.[A-Z])(?=.[a-z]).*$/).

He is trying to set this and it doesn't work saying not matching complexity requirements:
mSW%vuc@ot85>?

and

aA9!$!@#$@#aeuc<.a

Related, I can't set a specific password for users as admin because it asks me to enter existing password. As admin I should be able to specify a password, right?

If you would like to report a bug, please fill the template bellow

Work environment

| Questions | Answers
|---------------------------|--------------------
| Type of issue | Bug
| OS version (server) | ubuntu
| OS version (client) | XP, Seven, 10, Ubuntu, ...
| PHP version | 5.4, 5.5, 5.6, 7.0, 7.1...
| MISP version / git hash | 2.4.78
| Browser | If applicable

Expected behavior

Actual behavior

Steps to reproduce the behavior

Logs, screenshots, configuration dump, ...

bug

Most helpful comment

I both updated mysql and did another pull, verified it works now. Thanks!

All 44 comments

Weird, will test the password complexity issue.

As for the existing password, as an admin you have to enter your password,
not that of the user :)

On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek notifications@github.com
wrote:

I have a user trying to reset his password, my settings are default (12
characters and /((?=.\d)|(?=.\W+))(?![\n])(?=.[A-Z])(?=.[a-z]).*$/).

He is trying to set this and it doesn't work saying not matching
complexity requirements:
mSW%vuc@ot85>?

and

aA9!$!@#$@#aeuc<.a

Related, I can't set a specific password for users as admin because it
asks me to enter existing password. As admin I should be able to specify a
password, right?

If you would like to report a bug, please fill the template bellow
Work environment
Questions Answers
Type of issue Bug
OS version (server) ubuntu
OS version (client) XP, Seven, 10, Ubuntu, ...
PHP version 5.4, 5.5, 5.6, 7.0, 7.1...
MISP version / git hash 2.4.78
Browser If applicable Expected behavior Actual behavior Steps to
reproduce the behavior Logs, screenshots, configuration dump, ...

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394, or mute the thread
https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ-
.

Ahh, ok re: entering my password

--
John Bambenek

On Aug 12, 2017, at 00:13, Andras Iklody notifications@github.com wrote:

Weird, will test the password complexity issue.

As for the existing password, as an admin you have to enter your password,
not that of the user :)

On Sat, Aug 12, 2017 at 12:00 AM, John Bambenek notifications@github.com
wrote:

I have a user trying to reset his password, my settings are default (12
characters and /((?=.\d)|(?=.\W+))(?![\n])(?=.[A-Z])(?=.[a-z]).*$/).

He is trying to set this and it doesn't work saying not matching
complexity requirements:
mSW%vuc@ot85>?

and

aA9!$!@#$@#aeuc<.a

Related, I can't set a specific password for users as admin because it
asks me to enter existing password. As admin I should be able to specify a
password, right?

If you would like to report a bug, please fill the template bellow
Work environment
Questions Answers
Type of issue Bug
OS version (server) ubuntu
OS version (client) XP, Seven, 10, Ubuntu, ...
PHP version 5.4, 5.5, 5.6, 7.0, 7.1...
MISP version / git hash 2.4.78
Browser If applicable Expected behavior Actual behavior Steps to
reproduce the behavior Logs, screenshots, configuration dump, ...

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394, or mute the thread
https://github.com/notifications/unsubscribe-auth/ADf6wOOHPmF2SkyoCyXu357Ss1zM8Ox-ks5sXM7zgaJpZM4O1LZ-
.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Weird, just tried the password above in my dev instance with default complexity settings and it seems to work fine...

I'm pretty sure I didn't change my settings... can you send me the
defaults so I can restore those on my box?

On 8/13/2017 5:38 PM, Andras Iklody wrote:
>

Weird, just tried the password above in my dev instance with default
complexity settings and it seems to work fine...

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-322072030, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YX8wT_C3NPFmUhFpDmt8FaY1M-lXAks5sX3rjgaJpZM4O1LZ-.

--

John Bambenek

We are experiencing the same issue after we upgraded MISP to 2.4.78 (from 2.4.75). I think the problem is with the Blowfish patch https://github.com/MISP/MISP/commit/3317f56ca1e8c1f6ffda77a5972dd346dc259ac9 Even through it contains a verifyPassword() that looks decent it is not always used:

2017-08-16 10:10:01 Warning: Warning (512): Invalid salt: {40xHEX} for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/Security.php, line 323]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
Security::_crypt() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 323
Security::hash() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 115
BlowfishPasswordHasher::check() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BlowfishPasswordHasher.php, line 45
BaseAuthenticate::_findUser() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BaseAuthenticate.php, line 138
FormAuthenticate::authenticate() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/FormAuthenticate.php, line 79
AuthComponent::identify() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 771
AuthComponent::login() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 611
UsersController::login() - APP/Controller/UsersController.php, line 769
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 491
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 92

That shouldn't be used for the validation issue he gets so it's strange.
The password complexity is checked against the raw input, not the hash.

On Wed, Aug 16, 2017 at 1:25 PM, Richie B2B notifications@github.com
wrote:

We are experiencing the same issue after we upgraded MISP to 2.4.78 (from
2.4.75). I think the problem is with the Blowfish patch 3317f56
https://github.com/MISP/MISP/commit/3317f56ca1e8c1f6ffda77a5972dd346dc259ac9
Even through it contains a verifyPassword() that looks decent it is not
always used:

2017-08-16 10:10:01 Warning: Warning (512): Invalid salt: {40xHEX} for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/Security.php, line 323]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
Security::_crypt() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 323
Security::hash() - APP/Lib/cakephp/lib/Cake/Utility/Security.php, line 115
BlowfishPasswordHasher::check() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BlowfishPasswordHasher.php, line 45
BaseAuthenticate::_findUser() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/BaseAuthenticate.php, line 138
FormAuthenticate::authenticate() - APP/Lib/cakephp/lib/Cake/Controller/Component/Auth/FormAuthenticate.php, line 79
AuthComponent::identify() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 771
AuthComponent::login() - APP/Lib/cakephp/lib/Cake/Controller/Component/AuthComponent.php, line 611
UsersController::login() - APP/Controller/UsersController.php, line 769
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 491
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 92

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-322741157, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ADf6wHa5zj18QMPf4TytEbCZyhW41e_gks5sYtHHgaJpZM4O1LZ-
.

It seems that #2401 was unrelated to this issue after all. We are still experiencing this issue after #2401 was fixed.

Interesting, so you have it too?

On Thu, Aug 17, 2017 at 11:27 AM, Richie B2B notifications@github.com
wrote:

It seems that #2401 https://github.com/MISP/MISP/issues/2401 was
unrelated to this issue after all. We are still experiencing this issue
after #2401 https://github.com/MISP/MISP/issues/2401 was fixed.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-323017526, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ADf6wFgCvuWrP93uvZJ85h3lNrV9xS9Jks5sZAdmgaJpZM4O1LZ-
.

A user is complaining about it but I cannot reproduce it. Will troubleshoot some more..

Interesting. Just tried it with a read only user too (with the default settings accepted / empty) but same thing. Not sure what's up. Can you ask the user to paste what the flash message says on top after it fails?

The user is hitting /users/change_pw because I reset his password (so the change_pw field is set). He is getting this message:

The password could not be updated. Make sure you meet the minimum password length / complexity requirements.

This is from https://github.com/MISP/MISP/blob/2.4/app/Controller/UsersController.php#L158

Reading $this->User->validationErrors after the $this->User->save($user) reveals the problem:

Array
(
    [newsread] => Array
        (
            [0] => boolean
        )

)

CakePHP is expecting a boolean where the users table is filled with epoch timestamps in this column. How did that happen?

Interesting. OK, didn't realise it was the change_pw function, I kept using the user edit to change it. Looking into it. I might be a bit slow with it though, stuck in a literal 2 day conf call.

Reproduced, fix incoming.

Well I have no clue how that happened. Even more so how the newsread field worked in the first place o.O

I've created #2405 so we can use change_pw more. :-)

FYI, I'm still having the password reset issue on my MISP instance after pulling from master for latest code.

Which part? The regex failing?

Yes, says passwords cannot be updated, fails to meet min complexity
requirements.

On 8/24/2017 1:47 AM, Andras Iklody wrote:
>

Which part? The regex failing?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-324548807, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YXwPharRj3RNtvT5DUOfok6Itua_Eks5sbRyZgaJpZM4O1LZ-.

--

John Bambenek

Could you paste the commit ID you're on? Is it the latest? Do you have the silly

Security.require_password_confirmation

setting enabled?

I just did a pull so should be latest.

6eb...8aa

That setting is false on my instance.

On 8/24/2017 4:16 PM, Andras Iklody wrote:
>

Could you paste the commit ID you're on? Is it the latest? Do you have
the silly

|Security.require_password_confirmation|

setting enabled?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-324760008, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YX0FCYvfZOtpvDh0CpvMwQox7W2Bnks5sbeghgaJpZM4O1LZ-.

--

John Bambenek

Check your newsread column in the users MySQL table. If it contains a timestamp you have the same issue I did.

Have a bunch of timestamps in there, what's the specific issue?

On 8/24/2017 4:32 PM, Richie B2B wrote:
>

Check your newsread column in the users MySQL table. If it contains a
timestamp you have the same issue I did.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-324763583, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YX9v7DzLY7ownPUWkzoADASiEYX9Tks5sbev6gaJpZM4O1LZ-.

--

John Bambenek

Wait, newsread is supposed to contain a timestamp...

Many are NULL in my case, but quite a few timestamps in there, and one
odd 0 value.

On 8/24/2017 4:39 PM, Andras Iklody wrote:
>

Wait, newsread is supposed to contain a timestamp...

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-324765052, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YX06TTJJ2O_LbALu5mGeG7rpvcPlaks5sbe2bgaJpZM4O1LZ-.

--

John Bambenek

Null is weird. Default should be 0, could be a carry-over from old versions, maybe that's indeed the culprit.

Basically the way it works: If user's newsread < timestamp of the last news item, redirect the user to the news section (which updates the user's newsread to the current timestamp). Null might cause issues. Could you try to run:

Update users set newsread = 0 where newsread is NULL;

and see if it fixes it?

Set your newsread to 0 and try to change your password. CakePHP somehow thinks it should be a Boolean value and refuses to save the data if it isn't.

Not boolean, but an integer. The validation checks for numeric values, the null must be a carry over from an older version.

Just pushed a possible quick fix.

Time to hit the sack, will check back in the morning.

I both updated mysql and did another pull, verified it works now. Thanks!

https://github.com/MISP/MISP/commit/14d5b0444d92d266057e8948e309950fe2a07c4a will prevent NULL values in newsread to become a problem, but you are missing the real issue. In the datamodel newsread is defined as boolean yet timestamps are stored in it. This causes the save() function to fail the data model verification.

I'll do a one liner PR again. :)

That is just the name of the verification (which is indeed incorrect), the actual rule used is numeric so it shouldn't make a difference ;)

However, good idea to fix the name!

Then I am totally lost. A user with this problem had a timestamp as newsread. He was unable to change his password. Troubleshooting revealed the failed verification. I set his newsread to 0 and the problem was gone.

The validation was fixed like a week ago, was this before or after?

This was last Friday..

Hmph. Could you reproduce it now?

Hmph. Nope, even with a timestamp as newsread it now works fine.

Good ;)

Ah, now I see: I must have been running without the fix in https://github.com/MISP/MISP/commit/e0de52a53434deea47c14ea5110d986c3aab20fd last Friday. I suppose this issue is now dead and buried. ;-)

That's how all issues should be, dead and buried that is! :)))

FLAWLESS VICTORY

On 8/25/2017 3:52 AM, Andras Iklody wrote:
>

That's how all issues should be, dead and buried that is! :)))

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MISP/MISP/issues/2394#issuecomment-324861278, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AD7YX5eisX4vf1syEe_SQMxMQXMz6oK5ks5sbotLgaJpZM4O1LZ-.

--

John Bambenek

Hi there,
I am having the same issue when n user tries to set a new password from the GUI.

Currently installed version… v2.4.88
Ubuntu 16.04

The password could not be updated. Make sure you meet the minimum password length / complexity requirements.

despite I am indeed setting a complex password as required, and the mentioned fix (e0de52a) is in place.
I have no errors details in error.log.

What I have noticed is when I hover the mouse on the Password information icon ("i") nothing appears, It looks like the javascript PasswordPopover is not being loaded.

Any ideas?
Thanks

Same issue with MISP on Ubuntu 16.04 and the server built from scratch today

Was this page helpful?
0 / 5 - 0 ratings