chanx-young Posted February 9, 2015 Report Posted February 9, 2015 Hello, \i'm trying the blesta to replace whmcs because of it's security bugs. but now i found another bug. i'm using cpanel module to change account password either via admin or as client. when the changed has been made it show success. but i can't use new password to login to cpanel. the old password still there on cpanel. After checking blesta log for unsuscces password change contain: {"passwd":[{"statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher.","services":null,"rawout":null,"status":0}]} so i try with more complex password and voila the cpanel password has changed to the new one and the log is: {"passwd":[{"statusmsg":"Password changed for user “xxxxx”.","services":[{"app":"system"},{"app":"ftp"},{"app":"mail"},{"app":"MySQL"},{"app":"postgresql"}],"rawout":"Password for “xxxxx” has been changed.\nUpdating FTP passwords for xxxxx\nFTP password files updated.\nFTP vhost passwords synced\n","status":1}]} i think this must been fixed. if the cpanel password is not strength enough, blesta should not save the new password and tell that the action is success. hope you guys can understand. thank you..
Michael Posted February 9, 2015 Report Posted February 9, 2015 It's not a bug in my opinion it's just how Blesta runs, security first, InterWorx module and others is the same.
Blesta Addons Posted February 9, 2015 Report Posted February 9, 2015 After checking blesta log for unsuscces password change contain: {"passwd":[{"statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher.","services":null,"rawout":null,"status":0}]} It's not a bug in my opinion it's just how Blesta runs, security first, InterWorx module and others is the same. so , i thunk is a bug , because the module is sending a no success message , and blesta should take i consideration this error response , like the other no success message . a.daniello 1
Michael Posted February 9, 2015 Report Posted February 9, 2015 so , i thunk is a bug , because the module is sending a no success message , and blesta should take i consideration this error response , like the other no success message . If you think it should show a message saying "Error: Password too weak" then that's a feature request for an Improvement to the modules.
ModulesBakery Posted February 9, 2015 Report Posted February 9, 2015 I would agree with LicenseCart as it is not a bug, however, an improvement is a must here IMO, if you looked at the module's code, you would see that it does not check or return the response of the API request in the first place, so the module is functioning correctly here, it sends the API request and then saves the new value in the database.
chanx-young Posted February 9, 2015 Author Report Posted February 9, 2015 I would agree with LicenseCart as it is not a bug, however, an improvement is a must here IMO, if you looked at the module's code, you would see that it does not check or return the response of the API request in the first place, so the module is functioning correctly here, it sends the API request and then saves the new value in the database. thats a problem, you can't saved the value to database if the module return error. the password is not change and you save the new wrong password to your database. how can it be?this must be solve, not a feature but bug that have to be solved. it is a feature to check the strength of password but it is a bug if you save the wrong password. CMIIMW
Tyson Posted February 9, 2015 Report Posted February 9, 2015 Hello, \i'm trying the blesta to replace whmcs because of it's security bugs. but now i found another bug. i'm using cpanel module to change account password either via admin or as client. when the changed has been made it show success. but i can't use new password to login to cpanel. the old password still there on cpanel. After checking blesta log for unsuscces password change contain: {"passwd":[{"statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher.","services":null,"rawout":null,"status":0}]} It would be great if you could include more information as described in How to Report a Bug. Steps to duplicate the issue would be most useful, describing how and where you changed the password, and preferably the password you used that led to the error. I would agree with LicenseCart as it is not a bug, however, an improvement is a must here IMO, if you looked at the module's code, you would see that it does not check or return the response of the API request in the first place, so the module is functioning correctly here, it sends the API request and then saves the new value in the database. The module doesn't need to return the API response, and modules don't (usually) make calls to update the database directly. That is usually handled by the caller after evaluating any errors set. thats a problem, you can't saved the value to database if the module return error. the password is not change and you save the new wrong password to your database. how can it be?this must be solve, not a feature but bug that have to be solved. Please provide steps for us to duplicate the issue. From what I can tell the module does not update any fields (e.g. password) when there is a module error.
chanx-young Posted February 9, 2015 Author Report Posted February 9, 2015 okay, retry to report bug 1. on admin page -> choose a client -> choose his cpanel service (/client/view/) -> click on manage -> scroll down to cpanel option -> enter the password field with 12345678. 2. the process will response : "The service was successfully updated." 3. click on the cpanel service, check the password had been change 4. try to login, open a new tab and cpanel will return invalid login 5. if we enter the old password, the login process will success 6. check the blesta log, the cpanel module output this: {"passwd":[{"statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher.","services":null,"rawout":null,"status":0}]} 7. the same result on changing password if we login as client. 8. using blesta 3.4.1, php 5.3.29, mysql 5.5.40-cll and cpanel plugin
ModulesBakery Posted February 9, 2015 Report Posted February 9, 2015 The module doesn't need to return the API response, and modules don't (usually) make calls to update the database directly. That is usually handled by the caller after evaluating any errors set. thats absolutely right for the database and by the way you got me wrong about updating the database (i did not mean that the module itself directly make the call), however, for the module returning the API response, i would disagree with you, in such modules, it would be very hard to take all the cases into account in which might return an error response, such as the one described in this thread, so instead of setting a lot of rules in the modules for each input, it would be much more simple and handy to parse the API response and return it to the view, e.g: "statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher."
Blesta Addons Posted February 9, 2015 Report Posted February 9, 2015 such as the one described in this thread, so instead of setting a lot of rules in the modules for each input, it would be much more simple and handy to parse the API response and return it to the view, e.g: "statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher." i have this in some of my made-in-home modules , in case of error module , i display the module error response . and that is the correct way . because the success message has one difinition , error message is multiple and has some cases , also in some controle panel when updated it has more error message and rules . a.daniello 1
Tyson Posted February 9, 2015 Report Posted February 9, 2015 Thanks for listing the steps to duplicate. It should be noted that you also need to ensure you have your WHM account configured to require a password strength (e.g. 60) when attempting to duplicate this behavior. It looks like the API response from changing the account password is not in the same format as the other API responses that the module expects, so it was not handling that error. I've updated the module to handle that error for the next release. See CORE-1580. thats absolutely right for the database and by the way you got me wrong about updating the database (i did not mean that the module itself directly make the call), however, for the module returning the API response, i would disagree with you, in such modules, it would be very hard to take all the cases into account in which might return an error response, such as the one described in this thread, so instead of setting a lot of rules in the modules for each input, it would be much more simple and handy to parse the API response and return it to the view, e.g: "statusmsg":"Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher." It's entirely up to the module to determine what an error is with respect to the API it makes use of, and to then let Blesta know what it is, if any. While cPanel generally displays friendly error messages, likely because the same message is shown in their account interfaces, error responses from the API can't always be parsed and sent to the view in Blesta. Some APIs don't return friendly messages (maybe just an error code #), or may contain sensitive information that should not be displayed in the public interface. The module should determine what the best error message response would be considering the information it has at hand and the fact that it will be displayed in the interface. This is why several extensions sometimes defer to generic error messages. The cPanel error message for this particular password request can be confusing: Sorry, the password you selected cannot be used because it is too weak and would be too easy to guess. Please select a password with strength rating of 60 or higher. The second sentence tells the user to select a password with a strength of 60+. What is 60 and how is it determined? The module doesn't know, the user won't know, and even I don't know what would pass that requirement. It might make more sense in cPanel because they display a password strength indicator while you type in your password, but that strength indicator is not available over the API. It would likely be better for the module to translate this message into something more useful/generic because of this, such as "The password you selected was rejected. Please enter a longer password containing numbers, letters, and symbols." But I'll leave that as a feature for another day. a.daniello, Michael and chanx-young 3
Recommended Posts