Wide character in crypt generates stack trace with password revealed

Martin_Drasar · April 20, 2010, 10:01am

Hi everyone,
when logging into RT having czech keyboard accidentaly set, wide
characters may be accidentally supplied to the password routine. (Czech
keyboard have letters with wedges in the same row as numbers).
This causes error shown in attached page, revealing password to
bystanders as well as needlessly showing RT path.

I am providing a quick patch that catches the exception generated by
crypt and makes RT behave like ordinary bad password was provided.

Martin

Mgr. Martin Drasar drasar@ics.muni.cz
Network Security Department http://ics.muni.cz/
CSIRT-MU CSIRT-MU
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0x944BC925

wide_char_err.patch (1015 Bytes)

wide_char_err.htm (7.2 KB)

Ruslan_Zakirov · April 20, 2010, 11:51am

Hello Martin,

There is warning in the config regarding using stack traces and how
it can reveal secure information.
This particular problem has been solved in RT 3.8.8 RC2.2010/4/20 Martin Drasar drasar@ics.muni.cz:

Hi everyone,
when logging into RT having czech keyboard accidentaly set, wide
characters may be accidentally supplied to the password routine. (Czech
keyboard have letters with wedges in the same row as numbers).
This causes error shown in attached page, revealing password to
bystanders as well as needlessly showing RT path.

I am providing a quick patch that catches the exception generated by
crypt and makes RT behave like ordinary bad password was provided.

Martin

–
Mgr. Martin Drasar drasar@ics.muni.cz
Network Security Department http://ics.muni.cz/
CSIRT-MU http://www.muni.cz/csirt
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0x944BC925

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

Martin_Drasar · April 20, 2010, 12:19pm

Dne 20.4.2010 13:51, Ruslan Zakirov napsal(a):

Hello Martin,

There is warning in the config regarding using stack traces and how
it can reveal secure information.

Ok, must have missed/forget it.

This particular problem has been solved in RT 3.8.8 RC2.

Glad to hear it.

Thank you,
Martin

Mgr. Martin Drasar drasar@ics.muni.cz
Network Security Department http://ics.muni.cz/
CSIRT-MU http://www.muni.cz/csirt
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0x944BC925