Page Index Toggle Pages: [1] 2 3 
Topic Tools
Very Hot Topic (More than 25 Replies) Username=Email Address Breaks Password Retrival (Read 1,672 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Username=Email Address Breaks Password Retrival
Apr 18th, 2014 at 3:02pm
Post Tools
Excerpt from e-mail to Dandello earlier -

Quote:
On Fri, Apr 18, 2014 at 9:42 AM, Jon Baker <jonbservergeek@gmail.com> wrote:
You are going to hate me.

One of my users may have exposed a true flaw in the registration system. I had dismissed it earlier.  I have tested and replicated the issue on the unpatched Beta board.
 
A. What the scenario is -.
I had a user who forgot his password on my IIS/Beta 2.6 forum. He used the password recovery system. The forum sent him the password recovery link. When he clicked on the link, he got an error message "The User ID you submitted is invalid. Please try again.".  He posted cut & pasted a copy of the e-mail in the Testing Board on the forum. I tried the Link and got the same message. My thought was that he had mis-copied the link.

I tested the system myself using my Userid - it worked correctly for me, I dismissed it to a user error.  That was a wrong assumption. Yesterday, it troubled me enough to look again. I wanted to see if he had concatenated the link/URL when copying (because Display had abbreviated it). I went into the post via Modify and copied the link into an editor.  Then I copied the link I received, they were not the same length (specifically the user=portion) I don't know how that hash works, so I decided to test things -

Mine that works
00362C2B1230373D352011362A2D590
His that didn't
242331777F737106212B272F2A6825292B460

So, I decided to change his e-mail address so I would be the recipient and I could try the link.

After I got into Modify mode on his profile, I changed the e-mail address to be a gmail address of mine (found another issue when I tried to save - but later on that)
I noticed something about his profile that freaked me - his profile name (aka username) was the SAME as his old e-mail address. BAD BAD BAD 'programmer feelings' started. (the heebee-geebees)

SO I did the same thing with a short gmail address (it has to be short to fit in the username form field)  made it both my username + email address.

Owwww - YaBB allows that. And it for sure breaks the Password Retrieval -

Outcomes -

If you use the e-mail address OR the username in Password retrieval - YaBB will tell you the user does not exist (and not send an e-mail therefore).

If you use the Displayname with password retrieval, you will get an invalid key.

here is the key for jp.yyyya@gmail.com when sent using the Displayname

http://beta.yabbforum.com/cgi-bin/community/YaBB.pl?action=resetpass&ID=LHN6yn1o...

that link yields this message:
The User ID you submitted is invalid. Please try again.

My 'perma-fix' suggestion - disallow username==email_address

I have not yet tested it with other YaBB versions.


Folks -

Please test this on 2.4m 2.5AE & 2.5.2 forums

thanks
Cool
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: Username=Email Address Breaks Password Retrival
Reply #1 - Apr 18th, 2014 at 3:47pm
Post Tools
Problem is on 2.5.2

Works on 2.4
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #2 - Apr 18th, 2014 at 3:56pm
Post Tools
Problem is there on 2.4 -  E-mail address = userid.

You can register AND use PW retrieval. YaBB sends the PW e-mail correctly - but the Link is invalid.

Code
Select All
The Fours Forum Password reminder
Email successfully sent to: jp.1948a@gmail.com 



Code
Select All
You have an invalid ID. Please try again. 



I replicated process twice. Error Message is a bit different from 2.6

I don't have any true working 2.5.2 forums, so can't test easily

Uggh
Lips Sealed


  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
Forum Moderator
YaBB Moderators
Beta Testers
*****
Online



Posts: 163
Location: Edge of the Abyss

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #3 - Apr 18th, 2014 at 4:35pm
Post Tools
Tested on 2.5 AE ~ email sent, link works OK, reset pssword and all OK.
Tested on 2.6.0 all OK too.


~ Perhaps time limit to reset password from email notification (I have it set for 10 minutes) is shorter in some set ups and this invalidates username/loggin?? Sad

~*~

« Last Edit: Apr 18th, 2014 at 4:44pm by Elrick. »  

<div class=
Back to top
 
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: Username=Email Address Breaks Password Retrival
Reply #4 - Apr 18th, 2014 at 5:08pm
Post Tools
I just tried again and I can't duplicate the error on 2.4

I tried userid, email and Display Name and all worked
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #5 - Apr 18th, 2014 at 6:11pm
Post Tools
Question - you made the user name an e-mail address and the username that same e-mail address???

Example:

Username: jp.1948a@gmail.com
e-mail address: jp.1948a@gmail.com

Did you create the users in Admin Center or use registration forum?

I have now done it 4 times and had the same results.

Please PM the e-mail addresses & usernames used, so we can eliminate if it has anything to do with the choices made.  Also let me know if I can test on those same boards you used to test.

thanks
Wink

  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #6 - Apr 18th, 2014 at 6:41pm
Post Tools
You could just test on the Beta forum - I have broken that already.

@ Elrick - where did you find this control?

time limit to reset password

I don't think (even if I could find it) was an issue - as I did the whole thing each time in a few minutes.
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,446
Location: Earth

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #7 - Apr 18th, 2014 at 7:21pm
Post Tools
I can't reproduce the problem on my 2.5.2 board. A valid e-mail address on an admin created account using the email address as the Display name - Password reset worked with both the email address and the User-ID.

HOWEVER, in edit profile, it doesn't like changing a Display name to the email address.

  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #8 - Apr 18th, 2014 at 7:47pm
Post Tools
Just replicated @ yabbforumsoftware.com

1 small difference - dd not get error on PW request (used e-mail=userid)

Code
Select All
Yet another Bulletin Board Support Password request
E-mail successfully sent to: jp.1948a@gmail.com
 


(which was what i got on 4.1)

BUT - link is invalid

Code
Select All
	Yet another Bulletin Board Support
System Information
The User ID you submitted is invalid. Please try again. 



E-mail contents

Quote:
Yet another Bulletin Board Support dandello@yabbforumsoftware.com via host.dandello.net
3:40 PM (2 minutes ago)

to me
Dear JuanP,

A request was made by a visitor at Yet another Bulletin Board Support to reset your password. If you did not submit a request to reset your password, then please ignore this e-mail.

Otherwise, go here to reset your password: http://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?action=resetpass&ID=ToLudjtV&...
Note: If the link does not work (or if you use AOL or a browser-based e-mail program), copy the link and insert it in the address bar of your Web browser and confirm with enter. Make sure there are no spaces before or after the link in the address bar.

Regards,
The Yet another Bulletin Board Support team


Undecided
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,002
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #9 - Apr 18th, 2014 at 7:50pm
Post Tools
Just small item, the original user didn't have a '.' in the user portion of the e-mail address, so it's not likely that is the issue.

Lips Sealed
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,446
Location: Earth

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #10 - Apr 18th, 2014 at 8:11pm
Post Tools
I'm betting the problem with the user ID being an email address is the encryption doesn't like all number user ID's and probably chokes on some of the non-alphanumeric characters as well.

(I thought Derek and I had decided to not allow non-alphanumeric characters in User IDs. I'll have to check this. But I'm 99% sure that's the problem. If so, there is no fix except to disallow non-alphanumeric characters in the User ID.)
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: Username=Email Address Breaks Password Retrival
Reply #11 - Apr 18th, 2014 at 9:45pm
Post Tools
JonB wrote on Apr 18th, 2014 at 6:11pm:
Did you create the users in Admin Center

Yes, the 2.4 forum I have is old and in the past I would use it for testing purposes. It only has three members and one of them is the Admin.

Dandello wrote on Apr 18th, 2014 at 8:11pm:
I thought Derek and I had decided to not allow non-alphanumeric characters in User IDs.

You had helped me do that in my 2.5.2 when I was getting the zero byte files. At the time we thought it was spammers giving me problems.

  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,446
Location: Earth

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #12 - Apr 18th, 2014 at 9:50pm
Post Tools
Right now 2.6.0 is allow numbers, letters, plus and minus, periods and 'at'.
Depending on further tests this may go down to numbers, letters, plus and minus. (I'm betting it's the 'at' character that's messing up the encryption/decryption process.)

Edited:
Yep, just tested on YaBB Beta a user ID that was all alphabetic except for an '@' and it came up 'invalid user name' on password reset. That character cannot be allowed in User IDs.

« Last Edit: Apr 18th, 2014 at 10:09pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,446
Location: Earth

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #13 - Apr 19th, 2014 at 4:00pm
Post Tools
Update: The problem is definitely with the '@' symbol in the User ID. The cloak/decloak ID doesn't like that - but the problem seems to be similar to the problem YaBB has with all number User IDs - in some sections (like accessing the Profile section of UserCP) the cloak/decloak works fine when it's on. For other sections, it doesn't. (With all number User IDs when cloak was turned on, the 'instant approve' and 'instant delete' in the Registration log didn't work.) And I have no idea why there's a difference in behavior when calling exactly the same subroutines.

Need to do more checking on if there's something peculiar with reset password.
Edited:
It may be related to the keygen subroutine in System.pm.
« Last Edit: Apr 19th, 2014 at 4:03pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,446
Location: Earth

YaBB 2.6.1
Re: Username=Email Address Breaks Password Retrival
Reply #14 - Apr 19th, 2014 at 11:25pm
Post Tools
JonB wrote on Apr 18th, 2014 at 7:47pm:
Just replicated @ yabbforumsoftware.com

1 small difference - dd not get error on PW request (used e-mail=userid)

Code
Select All
Yet another Bulletin Board Support Password request
E-mail successfully sent to: jp.1948a@gmail.com
 


(which was what i got on 4.1)

BUT - link is invalid

Code
Select All
      Yet another Bulletin Board Support
System Information
The User ID you submitted is invalid. Please try again. 



E-mail contents

Quote:
Yet another Bulletin Board Support dandello@yabbforumsoftware.com via host.dandello.net
3:40 PM (2 minutes ago)

to me
Dear JuanP,

A request was made by a visitor at Yet another Bulletin Board Support to reset your password. If you did not submit a request to reset your password, then please ignore this e-mail.

Otherwise, go here to reset your password: http://yabbforumsoftware.com/cgi-bin/yabb2/YaBB.pl?action=resetpass&ID=ToLudjtV&...
Note: If the link does not work (or if you use AOL or a browser-based e-mail program), copy the link and insert it in the address bar of your Web browser and confirm with enter. Make sure there are no spaces before or after the link in the address bar.

Regards,
The Yet another Bulletin Board Support team


Undecided


I downloaded the forgotten.passes file from yabbforumsoftware.com
A couple odd things: file what should have been written in as 'jp.1948a@gmail.com' (the actual user ID) was entered as 'jp.1948a.com' - no idea why the '@gmail' section got taken out when writing to the forgotten.passes file. Plus, the user ID I created with all letters except for '@'  didn't uncloak properly so it was flagged as an invalid user ID.

So this may actually be two different but related issues.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 3 
Topic Tools
 
  « Board Index ‹ Board  ^Top