this post was submitted on 18 Nov 2021
16 points (100.0% liked)

Lemmy

12538 readers
8 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
nutomic@lemmy.ml
16
Unusual login bug(s) (lemmy.ml)
submitted 3 years ago* (last edited 3 years ago) by ____@lemmy.ml to c/lemmy@lemmy.ml
11 comments fedilink hide all child comments
 

Trying to log in using my username ____ doesn't work, it displays this error (this bug has existed since I created the account):

Today I discovered a workaround, I can log in if I prepend a \ to my username:

It also works if I write my username like this \_\_\_\_

Using a single _ for the username (and removing the minlength of 3 of the field with the html inspector) logs me in too, but not into this account, I get logged in into my @Lee account that has the same password:

I haven't read the code (I don't think I can, I never managed to learn Rust) but my theory is that _ is being used as a placeholder or matchall value when comparing usernames and emails. If I escape it with \ it works because it matches my username. If I write a single unescaped _ it logs me into my other account because the email of that account is set to a single character "@" which should match a single matchall underscore.

Edit: the autocomplete field in the block users page seems to confirm my theory as it matches any username as long or longer than the number of underscores I write:

top 11 comments
sorted by: hot top controversial new old
[–] sexy_peach@feddit.de 3 points 3 years ago

Wow nice find

[–] TheConquestOfBed@lemmy.ml 2 points 3 years ago

@dessalines@lemmy.ml @nutomic@lemmy.ml

[–] tmpod 2 points 3 years ago (1 children)

You should probably open an issue on the lemmy-ui repository :)

[–] Hlcy@lemmy.ml 4 points 3 years ago (2 children)

I think this is a backend error, with my poor Rust reading skills I arrived to this find_by_email_or_name function where I believe the problem is: https://github.com/LemmyNet/lemmy/blob/f24999027e26fc77cc3808674f4f37fb1883c20f/crates/db_views/src/local_user_view.rs#L85

It uses ilike which in SQL should allow things like % and _ to be used as placeholders for matching any character(s): https://www.postgresql.org/docs/14/functions-matching.html#FUNCTIONS-LIKE

[–] dessalines@lemmy.ml 3 points 3 years ago (1 children)

Nice find, I'll create a PR to fix this.

[–] Hlcy@lemmy.ml 3 points 3 years ago (1 children)

Sorry to bother you again, it took me some time to find this again on GitHub. This login bug I was experiencing was introduced when fixing this other login bug, you can see in that commit that eq was changed to ilike but now your new pull request reintroduces that old bug with the case-sensitiveness of the usernames during login. I think the solution to both bugs would be converting to uppercase before comparing with eq (and having a computed uppercased column indexed on the database). I don't know enough Rust to propose code changes or send a pull request, I hope my description of the solution is good enough for someone more knowledgeable to write the code.

[–] dessalines@lemmy.ml 2 points 3 years ago

We did originally want to force usernames to be lowercase (to prevent confusing name conflicts, but haven't forced any DB constraints on that yet, only for the actor_id column it looks like). For now due to the security implications, it makes sense to use eq instead of ilike.

[–] TheConquestOfBed@lemmy.ml 1 points 3 years ago (1 children)

So does this mean it's possible to access any account that you know the password of if the wildcards are used for the username?

[–] Hlcy@lemmy.ml 2 points 3 years ago* (last edited 3 years ago) (2 children)

You need to know the exact length of the account name (it seems that % is filtered because it is not allowed in usernames and only underscores can be used as placeholders). The risk is minimal, the only possible exploit that comes to mind is trying a list of compromised/common passwords and testing each with underscore usernames of different lengths. That way you will be able to log in as the first person (by database query sort order) using a compromised/common password whose username (or email) has the same amount of characters as underscores you tried. So the usual advice applies: don't use a compromised or common password and you will be safe, use a password manager and let it generate a random password for you if you can. Also this is easy to detect server side and if there is any kind of rate limiting the attack won't work, I wouldn't worry about this bug.

[–] tmpod 3 points 3 years ago

Great find!