Bug #16314
closed
GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages
100%
Description
If an attacker attempts to login by passing a username containing a newline, for example, the newline is included in the log message indicating that the login failed and it appears to be split across multiple lines and log messages.
Attached is a small PoC script which attempts to login with a bad username containing a newline admin\nblah. This results in a split log entry:
Jul 17 14:29:15 pfsense php-fpm[84788]: /index.php: webConfigurator authentication error for user 'admin Jul 17 14:29:15 pfsense php-fpm[84788]: blah' from: 198.51.100.142
There is no danger to the authentication process as the username isn't valid. However, the arbitrary string used by the attacker is included in the logs so the attacker can influence the content of the logs in ways to make the messages confusing or appear to show events that did not occur.
The username in the logs should be trimmed to at most 32 characters and control characters should be removed or replaced by another string. While there are contexts such as LDAP where longer usernames may be valid, such configurations are uncommon and protecting the integrity of the log messages is more important.
There is a somewhat related bug in that sshguard will not trigger on these log messages (#16312) however since these are not valid usernames it isn't a critical concern. To fix this log issue completely, that issue must be addressed first.
If we want to patch the log issue on versions where the sshguard issue is present, we can strip or replace any character outside of what sshguard will recognize with "_" or "-".
Files
Related issues
Updated by Jim Pingle 6 months ago
- Blocked by Bug #16312: ``sshguard`` does not trigger for GUI logins from usernames containing unexpected characters added
Updated by Jim Pingle about 2 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 03dc855a9e48a8c808880e2db893e30737003e1a.
Updated by Jim Pingle about 2 months ago
- File 16312_16314.patch 16312_16314.patch added
The 16312_16314.patch patch file applies to Plus 25.07.1 and CE 2.8.1 and addresses this issue. However, is slightly different in that it also works around #16312 by stripping any non-word character out of the username. It may apply on older versions, but I didn't test it back any farther than 25.07.1 and 2.8.1.
I opted not to take that route on 25.11 and later as it changes the text sent by the user even further and might also unnecessarily change usernames which might be valid on some remote auth servers.
Updated by Jim Pingle about 2 months ago
Changes are committed to the 25.11 branch but need to wait for a new build to test.
Changes are also in for development builds but those need to wait on the MR for #16528 to complete testing (MR works, just not merged or in a build yet)
Updated by Jim Pingle about 2 months ago
- Status changed from Feedback to Resolved
Working as expected on the latest builds of 25.11 and CE 2.9.0. sshguard triggers properly no matter what valid/invalid username is sent.
Updated by Jim Pingle about 2 months ago
- Subject changed from Usernames containing special characters or long strings can cause ambiguous or confusing log messages to GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages