Hi all,

Everyone should know that there are now scripts available to automatically crack any SPIP site vulnerable to the security flaw fixed in SPIP 2.0.9 and SPIP 1.9.2i. Using these scripts an attacker can automatically download a copy of your database and, using that information, change all of your users' passwords. Please upgrade your sites or, if you cannot upgrade, install `ecran_securite.php`.

`ecran_securite.php` is a "security screen" which blocks attacks using all known vulnerabilities in SPIP. This can help keep your site secure until you are able to upgrade it. See <http://www.spip.net/en_article4201.html > for installation instructions or for more information.

Cheers,

Thomas Sutton

bouncingorange
graphic+web design

Hello,
I have version 2.9 installed and there is a problem when some users want to register on Farsi page. They inter email address to receive password. But what they receive is something like this:
:login __________18
Password: Password
They cannot login with that information. The problem maybe is because of entering names in Farsi characters and not English.
Do you think there is any other reason? And any solution?
Kamran

They can also login with their email.

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

.Gilles

On Mon, Sep 28, 2009 at 3:51 AM, kamran Mir Hazar <kamran_mirhazar@yahoo.com> wrote:

Hello,
I have version 2.9 installed and there is a problem when some users want to register on Farsi page. They inter email address to receive password. But what they receive is something like this:
:login __________18
Password: Password
They cannot login with that information. The problem maybe is because of entering names in Farsi characters and not English.
Do you think there is any other reason? And any solution?
Kamran

---

spip-en@rezo.net - http://listes.rezo.net/mailman/listinfo/spip-en

Hi Gilles,

On 28/09/2009, at 3:31 PM, Gilles VINCENT wrote:

They can also login with their email.

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

Is this just because many UTF-8 implementation have buggy decomposition, normalisation, and byte-stream validation algorithms? Or are there more security implications as well?

Cheers,

Thomas Sutton

bouncingorange
graphic+web design

Hi Thomas,

for ex. you can bypass addslashes with UTF8 :
http://eleves.ec-lille.fr/~couprieg/post/Bypass-addslashes-with-UTF-8-characters
In the login case, I don’t know precisely how this bug can be used.

I also read some other stuff related to the default configuration of Apache or MySQL when they don’t correctly support the UTF-8 charset.
But, as I can’t find the references immediatly, I can’t detail the risks.

.Gilles

On Tue, Sep 29, 2009 at 3:09 AM, Thomas Sutton <thomas@bouncingorange.com> wrote:

Hi Gilles,

On 28/09/2009, at 3:31 PM, Gilles VINCENT wrote:

They can also login with their email.

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

Is this just because many UTF-8 implementation have buggy decomposition, normalisation, and byte-stream validation algorithms? Or are there more security implications as well?

Cheers,

Thomas Sutton

bouncingorange
graphic+web design

I’ve found the other bugs related to UTF-8 and MySQL

On Tue, Sep 29, 2009 at 2:50 PM, Gilles VINCENT <gilles.vincent@gmail.com> wrote:

I also read some other stuff related to the default configuration of Apache or MySQL when they don’t correctly support the UTF-8 charset.
But, as I can’t find the references immediatly, I can’t detail the risks.

http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-10/msg00040.html

.Gilles

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

Is this just because many UTF-8 implementation have buggy decomposition,
normalisation, and byte-stream validation algorithms? Or are there more
security implications as well?

In this case I don't think we have a security issue. The problem seems
more that something is poorly implemented. Precise tests would be
needed.

-- Fil

Gilles VINCENT a écrit :

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

I tested with:
   # @ & * $ % ( ) ! + = ? . , ; / :
and it goes!

this:
   #@&*$%()!+=?.,;/:
is a valid password

spip 2.0.9 / PHP 5.2.6 / MySQL 5.0.41

denisb a écrit :

  #@&*$%()!+=?.,;/:
is a valid password

all the ascii table (the 95 chars) is right:

   ! " # $ % & ' ( ) * + , - . /
0 1 2 3 4 5 6 7 8 9 : ; < = > ?
@ A B C D E F G H I J K L M N O
P Q R S T U V W X Y Z [ \ ] ^ _
` a b c d e f g h i j k l m n o
p q r s t u v w x y z { | } ~

Hi,

the restriction is only on logins, not passwords.
And the exemples given are in the charset ISO-8859-1.
You should try with λσ∀ῈΩ¿€œ , or きしてうんか

.Gilles

On Wed, Sep 30, 2009 at 1:26 AM, denisb <denisb@laposte.net> wrote:

Gilles VINCENT a écrit :

Actually, the login accepts only ascii characters : A-Za-z0-9-_
UTF8 characters would be dangerous for some security reasons.

I tested with:

@ & * $ % ( ) ! + = ? . , ; / :

and it goes!

this:
#@&*$%()!+=?.,;/:
is a valid password

spip 2.0.9 / PHP 5.2.6 / MySQL 5.0.41

---

spip-en@rezo.net - http://listes.rezo.net/mailman/listinfo/spip-en