Backslash MySQL Password

We found a bug with Webmin MySQL "Change Administrator Password" page

Steps to reproduce

  1. It's suggested to use a development environment. Not a live environment. Because that issue locks Webmin out of MySQL. Then after that it's not easy-breezy to reset that password.
  2. Using
    1. Webmin 1.821
    2. Virtualmin 5.05
    3. MySQL 5.5.53
    4. Debian 8 Jessie
    5. Kernel Linux 4.8.6-x86_64
    6. Authentic Theme 18.20
  3. Using Webmin as root user. Navigate to "Servers ---> MySQL Database Server"
  4. Click on "Change Administrator Password" button
  5. Type in any password in those fields. Include a backslash "\" symbol in your password. For example: 8aHIy\dfckYQFHp5
  6. Click on "Change Now" button
  7. Webmin returns that error message
    DBI connect failed : Access denied for user 'root'@'localhost' (using password: YES)
  8. Try to enter your new MySQL password. It will not work. Somehow that new password was not recorded properly. And the previous password is no longer working. The root user is locked out of MySQL :(

Redo all the actions above but without the backslash in the password. No error. So the backslash creates that issue. Maybe the backslash is consider an escape character, that is, to indicate that the following character has a special meaning? Thus changing the password before it's recorded?

Another test we did is using Terminal/Console change the MySQL password. Including a backslash. No error. So the issue seems to be from Webmin end. Because it can't be reproduce using Terminal.

Any volunteer for a patch? We would be happy to contribute testing. And documentation.

If somehow that issue can't be resolve and backslash can't be use with Webmin "Change Administrator Password", when the user click on "Change Now" button, how about automatically detect any backslash inside the password. Then warn the user to remove it. If that's not possible, we suggest to at least add a note on the Webmin "Change Administrator Password" page. About not using backslash symbol. How does that sound? Any other suggestion to resolve that issue?

Status: 
Closed (fixed)

Comments

Francewhoa's picture
Submitted by Francewhoa on Fri, 12/02/2016 - 17:35

I fixed the broken links to the screenshots. It seems the "---" three dashes into the file name somehow broke the path. I created another ticket for that at https://virtualmin.com/node/44452

If you check the file /etc/webmin/mysql/config , does the password stored in the pass= line have a backslash in it?

Francewhoa's picture
Submitted by Francewhoa on Fri, 12/02/2016 - 22:05

Thanks for your reply Jamie :) That development server was wipe out. We'll try to spin another one tomorrow. I'll check that file. Then post the result here.

Francewhoa's picture
Submitted by Francewhoa on Sat, 12/03/2016 - 16:32

Body: View changes

In our steps to reproduce above. We just noticed that the password was 17 characters long 8aHIy\dfckYQFHp54. Usually MySQL password maximum character length is 16. We thought that could be the source of the issue. So we retested with this shorter password 8aHIy\dfckYQFHp5 But the same error message is return.

We'll check that config file. Then post result in another comment.

Francewhoa's picture
Submitted by Francewhoa on Sat, 12/03/2016 - 16:47

Jamie :) Done we checked the file /etc/webmin/mysql/config Yes the password stored in the pass= line has a backslash in it. We also double checked the remaining password characters. They are recorded correctly in that file.

First test was with a 17 characters length 8aHIy\dfckYQFHp54 The second test was with a 16 characters length 8aHIy\dfckYQFHp5 Both tests returned the same error message DBI connect failed : Access denied for user 'root'@'localhost' (using password: YES)

When we redo the same steps to reproduce with the same password, same length but without the backslash in the password, that error is not return. Spooky, LOL ;)

All tests so far were done with a fresh install

Jamie, Francewhoa,

This is a MySQL server password constraint limitation. You can create a password with forward slash but not with backslash. It will let you create the user with the password but a connection error will occur when connection is attempted.

Step to Reproduce: You may want to try to set your password with MySQL Administrator, Navicat or DBeaver to confirm yourself that this is not a WebMin issue.

Francewhoa's picture
Submitted by Francewhoa on Sat, 12/03/2016 - 17:07

Thanks martlam :) I learned something new. You solved the mystery.

I'll post another comment with a suggestion for Webmin consideration

No problem. From my tests it appears it actually cuts the password off at the backslash. So the password 'password\abc' would actually be saved only as 'password'. That is why the authentication fails if you try with the intended password of 'password\abc'. It should succeed with 'password'.

The issue here I think is that the password generator is not aware of this limitation with MySQL. Therefore backslashes should be removed from the set of special characters to prevent others from running into this sort of problem.

You can test this on your end to see if you get the same result.

Francewhoa's picture
Submitted by Francewhoa on Sat, 12/03/2016 - 19:12

Thanks for your message martlam :) Done we tested comment #8 above. Using password 8aHIy\dfckYQFHp5

Then on that screen we entered 8aHIy

But it returned that same error message. So in our case the password wasn't cut off.

But your comment #8 sent us in the right direction. We re-tested with password 8aHIy\dfckYQFHp5

Then on that screen we entered 8aHIydfckYQFHp5

Notice in the password above that we just removed the backslash. That worked. That error is not return.

We narrowed down the source of that issue. Yay :) In short, the correct password is saved into Webmin configuration file. But as you know, after that when Webmin tries to connect to MySQL it return an error. Because backslashes are not allowed by MySQL and a different password was store into MySQL.

Francewhoa's picture
Submitted by Francewhoa on Sat, 12/03/2016 - 19:13

Jamie, martlam, and all Webmin enthusiasts :) How about Webmin automatically validate the password before it is stored? That mockup shows the suggested validation result.

Suggested scenario

  1. User login Webmin as root user. Navigate to "Servers ---> MySQL Database Server"

  2. Click on "Change Administrator Password" button

  3. User type in a password which includes one or multiple backslash(es) \ symbol(s). For example: 8aHIy\dfckYQFHp5

  4. User click on "Change Now" button

  5. Webmin validate the password. Detect one or more backslash(es). Then return that failed validation message.

  6. User click on "Return to previous page" button.

  7. User is back on that "Change Administrator Password" page. User simply enter a new password without backslash. Webmin validate again. Then bingo. The same password is store in both Webmin configuration file and MySQL :) How does that scenario sound? Any suggestion?

Here is the HTML code we suggest for the failed validation message. Feel free to re-word to your liking. That message is inspired from martlam comment above.

Any volunteer for a patch? We would be happy to contribute testing and documentation.

Ok, the next releases of Webmin and Virtualmin will disallow use of backslashes in passwords.

Status: Active » Fixed