[FIXED] Joomla 1.0.8 ! + SVN 3804, admin password ="0"

[baijianpeng]

I have just found a big bug of Joomla 1.0.8.

My Admin account has a password of 6 characters. I login with this account at the frontend, and change the password to only one character such as 0. Then I logout and login again. Fine, I can login with the shortest password. But when I shifted to the backend and login with the new password, Joomla said I should enter a password even after I really entered the password 0.

So the problem is: the frontend allows users use short password but the backend does not.

I think the frontend should be improved. Users must use passwords longer than 6 characters.

[infograf768]

I do confirm this behaviour in SVN 3804

I change Title of thread to reflect this.

[user deleted]

Description:
When a superadmin logs in on the frontend, and uses the Your detail option to change his password to "0" he is then unable to login to the Administrator backend. A popup will show with the text "Enter a password". Any other character like a "1" will still work. The superadmin can return to frontend login to change back his password to any character sequence so the Administrator login will work again.

Reported on:
- Joomla! 1.0.8. Stable
- Joomla! 1.0.9. beta 4

Classification:
Critical/High/Medium/Low/Enhancement

Affected functions:
- Administrator login

Related files:
List related files when known

Steps to replicate:
- login to frontend with super admin account
- change password from any character sequence to just "0" (zero)
- logout from frontend, go to administrator backend
- try to login > message "enter a password"

Analysis:
Confirmed/Unable to confirm/Rejected
you need to specifically use a ZERO > "0" to replicate the problem. A character like "1" will still work.

Proposed fix(es):
Any possible fixes in code that might provide a solution

Topic / Artifact ID:
Enter the crosss reference for topic or artifact id/url when submitted

System info:
PHP built On:  Windows NT D1K1JG1J 5.1 build 2600
Database Version: 5.0.21-community-nt
PHP Version: 5.1.4
Web Server: Apache/2.0.55 (Win32) PHP/5.1.4
WebServer to PHP interface: apache2handler

[infograf768]

Sorry to contradict you, Robink


I just created a user name "regis" password "1" status "administrator".

I can login easily from front AND back-end 

[user deleted]

Hi JM,

You are correct, as I am stating in my Analysis as well. A character like "1" still works as a password. It is just limited to a zero "0". When you use that as a password the popup message will show, and you are unable to login. I will verify to make sure.

[infograf768]

sorry, did not read you well.
I tried with "A" and get the same btw.
same with "AB"...
I have the feeling that the 6 characters minimum limit is just not implemented at all.

[user deleted]

Hi Jm,

Thanks for the additional info. I am searching the files, and so far can not find any "minimum limit" in the code either. Any suggestions with regards to a fix?

I would be all for a check on password length, both front and backend. The length could be set through Global Configuration.

[Beat]

We saw same "problem" in CB RC2 and implemented identical checks in backend as in frontend in CB 1.0 stable (including CB settings for restrictions on username changes)

This has as effect as an admin can't set a short password in backend, if he even wants to, and can't either change username if cb settings don't allow it.

Except for the username change that should always be possible in backend for super-admins independantly of CB settings, we didn't have negative feed-backs on this new restrictions being same in backend as in frontend.

[stingrey]

We saw same "problem" in CB RC2 and implemented identical checks in backend as in frontend in CB 1.0 stable (including CB settings for restrictions on username changes)

Similar functionality optiosn will be added to 1.5
- Ability to lock username change
- Ability to set minimum password level
- Ability to set minimum username level



As to whether such increased security funcitonality should also be implemented in the 1.0.x series I am still not sure at this satge.

[stingrey]

As to this report I'm not sure why this is happening - discrepancy between frontend and backend limits.

I had thought the limitation already existed in the frontend - now it is possible this got accidentally removed somewhere - or worse never existed.

[infograf768]

I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings

[stingrey]

I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings

Actually you are correct.
I thought there wa a 6 character minimum limit for passwords - but it seems there is actually no limit to number of characters in a password - Front or Backend.

There is a 3 character minimum for usernames, but nothing for passwords.

However, this is a separate issue from this report

[stingrey]

Fixed in 1.0.9 SVN



Due to an incorrect logic check

Code: Select all

if (!$pass) {

which will mean a $pass = 0 will result in the check being passed.

[RedBox]

I am confused. Is this fixed in the 1.0.10 version? I can still use password shorter than 6 chars. Or is the fixed just so if you set '0' as your password, it will now work in the backend as well? 


RedBox

[stingrey]

Or is the fixed just so if you set '0' as your password, it will now work in the backend as well? 

Simply fixed `0` (zero) working as a valid password.

Functionality to change password length will be addressed in 1.5.x

[ot2sen]

I see no discrepancy here, Rey.
There is no mini limit in the character numbers in front AS in back on my setttings

Actually you are correct.
I thought there wa a 6 character minimum limit for passwords - but it seems there is actually no limit to number of characters in a password - Front or Backend.

There is a 3 character minimum for usernames, but nothing for passwords.

However, this is a separate issue from this report

Not sure if this is relevant for the upcoming 1.0.12, but noticed that there actually is a 6 character minimum limit for password - when registering.

When registering an account the user only can register if using minimum 6 characters, or a warning from language file is shown:

DEFINE('_VALID_AZ09',"Please enter a valid %s.  No spaces, more than %d characters and contain 0-9,a-z,A-Z");
DEFINE('_VALID_AZ09_USER',"Please enter a valid %s.  More than %d characters and contain 0-9,a-z,A-Z");

This limit is created in /components/com_registration/registration.html.php at line 87-95:

} else if (form.password.value.length " );
} else if (form.password2.value == "") {
alert( "" );
} else if ((form.password.value != "") && (form.password.value != form.password2.value)){
alert( "" );
} else if (r.exec(form.password.value)) {
alert( "" );
} else {

Just bringing this up, cause a user asked how to let his site users change password to less than this registration warning message.
Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.

[user deleted]

Thanks,

Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.

Sounds like an issue to me, I'd expect that a password change would also verify this length. I'll check this with Q&T.

[Beat]

Thanks,

Sounds like he is not aware that this limit is only active at registration - and that there´s no limit when changing password in future.

Sounds like an issue to me, I'd expect that a password change would also verify this length. I'll check this with Q&T.

RobInk: Talk with Rob, we discussed these last night

CB does enforce those since some time...

[user deleted]

Thanks Beat,

Sent him an email