[FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
- baijianpeng
- Joomla! Guru
- Posts: 516
- Joined: Mon Mar 20, 2006 3:17 pm
- Location: China
- Contact:
[FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
I have just found a big bug of Joomla 1.0.8.
My Admin account has a password of 6 characters. I login with this account at the frontend, and change the password to only one character such as 0. Then I logout and login again. Fine, I can login with the shortest password. But when I shifted to the backend and login with the new password, Joomla said I should enter a password even after I really entered the password 0.
So the problem is: the frontend allows users use short password but the backend does not.
I think the frontend should be improved. Users must use passwords longer than 6 characters.
My Admin account has a password of 6 characters. I login with this account at the frontend, and change the password to only one character such as 0. Then I logout and login again. Fine, I can login with the shortest password. But when I shifted to the backend and login with the new password, Joomla said I should enter a password even after I really entered the password 0.
So the problem is: the frontend allows users use short password but the backend does not.
I think the frontend should be improved. Users must use passwords longer than 6 characters.
Last edited by stingrey on Sat Jun 03, 2006 5:59 pm, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Big Bug of Joomla 1.0.8 !
I do confirm this behaviour in SVN 3804
I change Title of thread to reflect this.
I change Title of thread to reflect this.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
Re: Big Bug of Joomla 1.0.8 ! + SVN 3804
Description:
When a superadmin logs in on the frontend, and uses the Your detail option to change his password to "0" he is then unable to login to the Administrator backend. A popup will show with the text "Enter a password". Any other character like a "1" will still work. The superadmin can return to frontend login to change back his password to any character sequence so the Administrator login will work again.
Reported on:
- Joomla! 1.0.8. Stable
- Joomla! 1.0.9. beta 4
Classification:
Critical/High/Medium/Low/Enhancement
Affected functions:
- Administrator login
Related files:
List related files when known
Steps to replicate:
- login to frontend with super admin account
- change password from any character sequence to just "0" (zero)
- logout from frontend, go to administrator backend
- try to login > message "enter a password"
Analysis:
Confirmed/Unable to confirm/Rejected
you need to specifically use a ZERO > "0" to replicate the problem. A character like "1" will still work.
Proposed fix(es):
Any possible fixes in code that might provide a solution
Topic / Artifact ID:
Enter the crosss reference for topic or artifact id/url when submitted
System info:
PHP built On: Windows NT D1K1JG1J 5.1 build 2600
Database Version: 5.0.21-community-nt
PHP Version: 5.1.4
Web Server: Apache/2.0.55 (Win32) PHP/5.1.4
WebServer to PHP interface: apache2handler
When a superadmin logs in on the frontend, and uses the Your detail option to change his password to "0" he is then unable to login to the Administrator backend. A popup will show with the text "Enter a password". Any other character like a "1" will still work. The superadmin can return to frontend login to change back his password to any character sequence so the Administrator login will work again.
Reported on:
- Joomla! 1.0.8. Stable
- Joomla! 1.0.9. beta 4
Classification:
Critical/High/Medium/Low/Enhancement
Affected functions:
- Administrator login
Related files:
List related files when known
Steps to replicate:
- login to frontend with super admin account
- change password from any character sequence to just "0" (zero)
- logout from frontend, go to administrator backend
- try to login > message "enter a password"
Analysis:
Confirmed/Unable to confirm/Rejected
you need to specifically use a ZERO > "0" to replicate the problem. A character like "1" will still work.
Proposed fix(es):
Any possible fixes in code that might provide a solution
Topic / Artifact ID:
Enter the crosss reference for topic or artifact id/url when submitted
System info:
PHP built On: Windows NT D1K1JG1J 5.1 build 2600
Database Version: 5.0.21-community-nt
PHP Version: 5.1.4
Web Server: Apache/2.0.55 (Win32) PHP/5.1.4
WebServer to PHP interface: apache2handler
Last edited by user deleted on Sat Jun 03, 2006 8:42 am, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Sorry to contradict you, Robink
I just created a user name "regis" password "1" status "administrator".
I can login easily from front AND back-end
I just created a user name "regis" password "1" status "administrator".
I can login easily from front AND back-end
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Hi JM,
You are correct, as I am stating in my Analysis as well. A character like "1" still works as a password. It is just limited to a zero "0". When you use that as a password the popup message will show, and you are unable to login. I will verify to make sure.
You are correct, as I am stating in my Analysis as well. A character like "1" still works as a password. It is just limited to a zero "0". When you use that as a password the popup message will show, and you are unable to login. I will verify to make sure.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
sorry, did not read you well.
I tried with "A" and get the same btw.
same with "AB"...
I have the feeling that the 6 characters minimum limit is just not implemented at all.
I tried with "A" and get the same btw.
same with "AB"...
I have the feeling that the 6 characters minimum limit is just not implemented at all.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Hi Jm,
Thanks for the additional info. I am searching the files, and so far can not find any "minimum limit" in the code either. Any suggestions with regards to a fix?
I would be all for a check on password length, both front and backend. The length could be set through Global Configuration.
Thanks for the additional info. I am searching the files, and so far can not find any "minimum limit" in the code either. Any suggestions with regards to a fix?
I would be all for a check on password length, both front and backend. The length could be set through Global Configuration.
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
We saw same "problem" in CB RC2 and implemented identical checks in backend as in frontend in CB 1.0 stable (including CB settings for restrictions on username changes)
This has as effect as an admin can't set a short password in backend, if he even wants to, and can't either change username if cb settings don't allow it.
Except for the username change that should always be possible in backend for super-admins independantly of CB settings, we didn't have negative feed-backs on this new restrictions being same in backend as in frontend.
This has as effect as an admin can't set a short password in backend, if he even wants to, and can't either change username if cb settings don't allow it.
Except for the username change that should always be possible in backend for super-admins independantly of CB settings, we didn't have negative feed-backs on this new restrictions being same in backend as in frontend.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: [BUG] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Similar functionality optiosn will be added to 1.5Beat wrote: We saw same "problem" in CB RC2 and implemented identical checks in backend as in frontend in CB 1.0 stable (including CB settings for restrictions on username changes)
- Ability to lock username change
- Ability to set minimum password level
- Ability to set minimum username level
As to whether such increased security funcitonality should also be implemented in the 1.0.x series I am still not sure at this satge.
Last edited by stingrey on Sat Jun 03, 2006 4:38 pm, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: [CONFIRMED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
As to this report I'm not sure why this is happening - discrepancy between frontend and backend limits.
I had thought the limitation already existed in the frontend - now it is possible this got accidentally removed somewhere - or worse never existed.
I had thought the limitation already existed in the frontend - now it is possible this got accidentally removed somewhere - or worse never existed.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: [CONFIRMED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings
There is no mini limit in the character numbers in front AS in back on my setttings
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: [CONFIRMED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Actually you are correct.infograf768 wrote: I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings
I thought there wa a 6 character minimum limit for passwords - but it seems there is actually no limit to number of characters in a password - Front or Backend.
There is a 3 character minimum for usernames, but nothing for passwords.
However, this is a separate issue from this report
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: [CONFIRMED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Fixed in 1.0.9 SVN
Due to an incorrect logic check
which will mean a $pass = 0 will result in the check being passed.
Due to an incorrect logic check
Code: Select all
if (!$pass) {
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
-
- Joomla! Intern
- Posts: 64
- Joined: Fri Oct 07, 2005 4:45 pm
Re: [FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
I am confused. Is this fixed in the 1.0.10 version? I can still use password shorter than 6 chars. Or is the fixed just so if you set '0' as your password, it will now work in the backend as well?
RedBox
RedBox
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: [FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Simply fixed `0` (zero) working as a valid password.RedBox wrote: Or is the fixed just so if you set '0' as your password, it will now work in the backend as well?
Functionality to change password length will be addressed in 1.5.x
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- ot2sen
- Joomla! Master
- Posts: 10381
- Joined: Thu Aug 18, 2005 9:58 am
- Location: Hillerød - Denmark
- Contact:
Re: [CONFIRMED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Not sure if this is relevant for the upcoming 1.0.12, but noticed that there actually is a 6 character minimum limit for password - when registering.stingrey wrote:Actually you are correct.infograf768 wrote: I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings
I thought there wa a 6 character minimum limit for passwords - but it seems there is actually no limit to number of characters in a password - Front or Backend.
There is a 3 character minimum for usernames, but nothing for passwords.
However, this is a separate issue from this report
When registering an account the user only can register if using minimum 6 characters, or a warning from language file is shown:
This limit is created in /components/com_registration/registration.html.php at line 87-95:DEFINE('_VALID_AZ09',"Please enter a valid %s. No spaces, more than %d characters and contain 0-9,a-z,A-Z");
DEFINE('_VALID_AZ09_USER',"Please enter a valid %s. More than %d characters and contain 0-9,a-z,A-Z");
Just bringing this up, cause a user asked how to let his site users change password to less than this registration warning message.} else if (form.password.value.length " );
} else if (form.password2.value == "") {
alert( "" );
} else if ((form.password.value != "") && (form.password.value != form.password2.value)){
alert( "" );
} else if (r.exec(form.password.value)) {
alert( "" );
} else {
Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.
Ole Bang Ottosen
Dansk frivillig Joomla! support websted - joomla.dk
OpenTranslators Core Team opentranslators.org
Dansk frivillig Joomla! support websted - joomla.dk
OpenTranslators Core Team opentranslators.org
Re: [FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Thanks,
Sounds like an issue to me, I'd expect that a password change would also verify this length. I'll check this with Q&T.Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: [FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
RobInk: Talk with Rob, we discussed these last nightRobInk wrote: Thanks,
Sounds like an issue to me, I'd expect that a password change would also verify this length. I'll check this with Q&T.Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.
CB does enforce those since some time...
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
Re: [FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"
Thanks Beat,
Sent him an email
Sent him an email