Webmin does not properly set passwords with special characters

Submitted by lewellyn on Wed, 04/13/2011 - 23:13

I've been banging my head against the wall today trying to figure out why a user's password wasn't working. It turns out that Webmin does not set passwords properly if "special" characters are used in them, specifically single and double quotes.

For example, the password t53'6FS5d does not work when set through the web interface, but SSHing in as root allows the password to be set.

If there are explicitly invalid characters, the field should be checked/sanitized and the person setting the password should know about it. As it stands, there are no restrictions listed in the Web UI.

Status: 
Active

Comments

Submitted by JamieCameron on Thu, 04/14/2011 - 13:20

I just created a domain with that password, and could login just fine .. which is expected, as Webmin doesn't have any limitations on characters like ' in passwords.

I wonder if this is browser specific perhaps ... which browser are you seeing this issue for, and on which OS?

Submitted by lewellyn on Fri, 04/15/2011 - 02:29

I saw this with IE 9, and my issue was that the user was unable to SSH in (I apologize if I was unclear there). Can you confirm that the user's password works for SSH?

Submitted by Locutus on Fri, 04/15/2011 - 14:52

I can confirm that for me, testing Opera 11 and IE 8 with Webmin 1.540 on Ubuntu Server 10.04 64-bit, the password you posted above works correctly for SSH login.

For comparison. When creating a user with the password t53'6FS5d, then go back to the user edit screen in Webmin, do you see this pre-encrypted password?

$6$02896947$iJFLji777pbfwec4mIiWlDrHqshvTmq2ohE0AySwC9LaC8J1GFAqHgqW2zfe671aB/XCktmT/6eknOARjWD5P/

Submitted by JamieCameron on Fri, 04/15/2011 - 15:40

I just did another test, and SSH works fine with this password as well. Which SSH client are you using?

Comparing the hashed password isn't very useful, as the salt is randomly selected so if the same password is hashed twice it will have two different results.

Submitted by Locutus on Fri, 04/15/2011 - 16:42

Comparing the hashed password isn't very useful, as the salt is randomly selected so if the same password is hashed twice it will have two different results.

D'oh. You're right. I withdraw my question. :)

Hm.. maybe.. then.. Lewellyn, try entering the hashed password I pasted, and see if you can then login with the clear-text one you posted. :) That should be a valid test if the problem lies within the cleartext-to-hash function of Webmin or elsewhere, I hope.