Agilebits discussions passwords not accepted

Niklas

I have discovered some oddities with how passwords are handled by the discussion board's software. I have recorded a movie, but as it contains a few personal details I'd rather send it directly to someone at Agile Bits.

The general gist of the problem I think is imperfect escaping of the password string when comparing the stored hash (hopefully) with the input.

Example of passwords that do work:

BMaTR.uJfVaRNyz9u28kE2#y@BrEc zjBvTkDAZns48G3xgAdUuLaedhVK.oJKPAA3DYfpkkPZqDRofD

Examples of passwords that do not work:

Ri8oR2uvMTzPa{poMv{H((YBupdNLjCEBb;xqkV*)vtQZ*q@p} 7kr^b%gtNKn&Gcr}a++tAcf[wD2rJi[QuoGNQbV=pzDeX{nGxM XCqsgax?V9kXshEyJZjYtmaG@9G^i2QGuUZQiVsZJf AYDpdjiN@aZ^rQ$KNNZ9vc[N6B(tv6

Ben

Hi @Niklas‌

Unfortunately we don't have control over the software that runs the forums, so this isn't something we'll be able to fix directly, but I'd be happy to pass the feedback along to our forum software provider.

Thanks.

Niklas

Thanks! If you like you can attach my e-mail address (I believe you can access it in my profile info) when you contact them so that they may contact me.

Megan

Hi @Niklas,

Thanks so much for the offer! I'll be sure that gets passed along.

MikeT

Hi @Niklas,

The guys at Vanilla Forums can't reproduce this, so they need a bit more info. I've sent them your contact info as you've permitted and they'll follow up with you as soon as possible.

Thanks!

Niklas

@MikeT‌ the bug is still very much reproducible.

Megan

Hi @Niklas,

I hope that you are able to help Vanilla reproduce and fix the issue. Thanks for your attention to this matter. :)

Niklas

@Megan‌ I emailed you on the 15th (right around when I posted my last comment).

It has id #RPV-73395-629 if you were to only send me their contact details or forward my email to them you can clear my issue from your queue and forget about this. :)

Megan

Hi @Niklas,

Thanks so much for that! As Mike mentions above, your contact details have been forwarded along to Vanilla - they'll follow up with you directly. :)

Niklas

That was two weeks ago @Megan‌…

Ben

I'm sorry Vanilla has not yet followed up with you but the best I can suggest is patience... If there is a bug in their software that is something they will need to fix. I do apologize for the inconvenience, and for the delay on their behalf. I'll see if we can ping them again about the issue.

Niklas

Thanks! I look forward to the day I will hear from them.

Niklas

It's been two weeks since I emailed you on issue #RPV-73395-629. When are you planning on answering?

Ben

Niklas,

Rob replied to that message 10 days ago. The new ticket ID is NWT-47468-963. Please check your spam folder.

Thanks.

Ben

Niklas

That's a different ticket (about iCloud sync)!

It has nothing to do with your forums string escaping.

Megan

Hi @Niklas,

Unfortunately, we're not able to do much more with respect to the forum issue. As we've mentioned above, this will need to be investigated by Vanilla. I do apologize that they haven't gotten into contact with you yet. I'll mention @MikeT here, as he deals with the Vanilla team more directly - perhaps he'll be able to check in with them.

Thanks for checking in on us here, I'm sorry we're not able to help more directly!

Niklas

At the very least you could have the damn courtesy of replying to my email.

Ben

@Niklas‌

We've replied to you here... We don't have anything further to add via email.

Thanks.

Niklas

If you don't want to communicate via email I'll just post detailed instructions here on how to defeat your forums faulty input escaping. I thought I could somehow appeal to your sensibilities and be responsible about security issues, but no, if that's the way you want it, sure…

rob

Sorry, @Niklas‌, your emails were merged into one conversation, so I missed the reference to this issue. I've followed up with your email.

Thanks!