Forum List Message List New Topic
Igelineau
Using purify to secure a password
February 04, 2011 09:39PM

Hello,

I currently uses and try to improve the Vtiger CRM system. It uses a lot the vtlib_purify function to secure user input. I understood that it uses htmlpurifier tool.

I found a bug in the Vtiger login page, when logging with a password containing an ampersand.

I was able to point out the problem : The password input is passed through the vtlib_purify function before it's hashed with php crypt function and compared to the one from the database.

When the password an ampersand (&), all these ampersand are replaced by their html encoded code : 

&

Of course, when encoding the purified password and comparing with the hash in the database, there is no match.

I was able to solve the problem by adding a htmlspecialchars_decode($password) call after the purify call, but I suspect that leaves a security breach and makes the purify call useles...

Is it standard to deny passwords containing an ampersand or others special characters ? Is it useful to use the purify tool with the password, if it's passed to crypt function later ? I used myself a lot of passwords with an ampersand, and it's the first time I have a problem with it.

Please, if someone have a solution to my problem,i'm very interested.

P.S. Please excuse my not always perfect English, I'm speaking French.

Ismaël

Reply Quote
vaughan
Re: Using purify to secure a password
February 05, 2011 06:47AM

don't use htmlpurifier for NON-HTML. purifier is designed for HTML code only.

if you want to filter plain text, then use a different filter.

there are plenty of PHP functions available to do the job.

for passwords i would probably use filter_var($plaintext_pass, FILTER_SANITIZE_STRING); or if it's a $_POST, then filter_input(INPUT_POST, $plaintext_pass, FILTER_SANITIZE_STRING)

filter_var() & filter_input() are both native PHP functions. see http://www.php.net/manual/en/ref.filter.php

but never use htmlpurifier for filtering plaintext or non-html input.

Reply Quote
Ambush Commander
Re: Using purify to secure a password
February 05, 2011 06:49AM

Hello,

This problem belies a very fundamental misunderstanding about how encoding works. I will try to elucidate. What is a password? A password is an arbitrary string of characters, with no structure to them. As such, there is no "validation" that needs to be done on it, you just hash it and then perform the comparison on it with the database. HTML Purifier should NOT be called on passwords.

Edward

Reply Quote
igelineau
Re: Using purify to secure a password
February 05, 2011 01:07PM

Thank you both for your answer. I'm relatively new to the php and Vtiger world, that's why I didn't doubt of the need to use the purifier function. I will remove it from my own Vtiger system source code, and indeed i will resolve the problem.

Ismaël

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: