After updating password no credentials needed to login

jdaviescoates

I'm not sure what's happening here, but it seems after editing the password in /app/data/env.sh now anyone can just click login over on https://listmonk.uniteddiversity.coop and it doesn't even ask for an credentials at all!?!?!

BrutalBirdie

@jdaviescoates
wtf?

jdaviescoates

@BrutalBirdie yeah, I know.

Just been playing around again.

If I change the pw to this:

sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&

Somehow that turns off needing to login at all!

Changing it to something this like howveryodd works fine.

Then, changing it back to sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT& turn auth off again.

WFT?!?

BrutalBirdie

@jdaviescoates

This is good info.
Just in case pinging @girish.

But I am also taking a look at this.

BrutalBirdie

@BrutalBirdie
Did you use single quotes ' or double quotes " or no quotes at all for the password?

jdaviescoates

I thought perhaps it was a length thing but howveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryodd works too, so doesn't look like it.

And just to double check that, in case that wasn't as long as the previous one this works fine too:

howveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryodd

So does sBd@ni7fjTo2J3KGRK

Hmz

jdaviescoates

@BrutalBirdie said in After updating password no credentials needed to login:

Did you use single quotes ' or double quotes " or no quotes at all for the password?

You mean in the /app/data/env.sh file?

I just edited what was there, i.e. no quotes at all:

#!/bin/bash

# https://listmonk.app/docs/configuration/#environment-variables
export LISTMONK_app__admin_username=admin
export LISTMONK_app__admin_password=howveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryoddhowveryodd

export TZ=Etc/UTC

# Do not change the values below
export LISTMONK_app__address="0.0.0.0:9000"
export LISTMONK_db__host="${CLOUDRON_POSTGRESQL_HOST}"
export LISTMONK_db__port="${CLOUDRON_POSTGRESQL_PORT}"
export LISTMONK_db__user="${CLOUDRON_POSTGRESQL_USERNAME}"
export LISTMONK_db__password="${CLOUDRON_POSTGRESQL_PASSWORD}"
export LISTMONK_db__database="${CLOUDRON_POSTGRESQL_DATABASE}"
export LISTMONK_db__ssl_mode="disable"

BrutalBirdie

@jdaviescoates
I think the problem might not be the length.

Try to use single quotes with the variable:

export LISTMONK_app__admin_password='sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

There is a special char which breaks the bash with no quotes.
This should do the trick.

---

If you try the command in a bash shell without the single quotes you get this:

export LISTMONK_app__admin_password=sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&
bash: !W8VwB: event not found

Which breaks the export statement and leaves the variable empty / not defined.
Which would explain why no password is needed, if none is set because of the bash error.

jdaviescoates

@BrutalBirdie yep, it's the &

Having an & at the end of the pw turns off auth.

Having an & somewhere in the middles seems to stop the app starting at all.

BrutalBirdie

@jdaviescoates it should work with single quotes tho even with the & char.

Good explanation here:
https://stackoverflow.com/questions/6697753/difference-between-single-and-double-quotes-in-bash

jdaviescoates

@BrutalBirdie said in After updating password no credentials needed to login:

@jdaviescoates it should work with single quotes tho even with the & char.

It doesn't. Adding single (or double) quotes makes no difference whatsoever in the testing I just did.

Hmz, scrap that. I think that was because I was simultaneously experiementing with quotes around admin too.

Wait, now I'm really confused.

Using this as a password works:

'apwwith&'

(hence why I crossed that bit out above)

But this still turns auth off completely:

'sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

BrutalBirdie

@jdaviescoates
Then there is also a bug in the listmonk software itself.

You can try the referenced line of code in your shell and it should return the correct string.

export LISTMONK_app__admin_password='sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

echo $LISTMONK_app__admin_password
sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&

If the Bash does this correctly but the software has an issue, there might be a similar issue there.

BrutalBirdie

@jdaviescoates
So just to make it clear.
Single quotes work now, even with the & char?

jdaviescoates

@BrutalBirdie said in After updating password no credentials needed to login:

@jdaviescoates
So just to make it clear.
Single quotes work now, even with the & char?

Sometimes.

Using this as a password works:

'apwwith&'

But this still turns auth off completely:

'sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

BrutalBirdie

@girish
Please don't JUST fix the issue, I have a trainee right now perfect task for him to start learning

I will not show him this conversation and will use this as a little benchmark for his skillset

BrutalBirdie

@jdaviescoates said in After updating password no credentials needed to login:

Sometimes.
Using this as a password works:
'apwwith&'
But this still turns auth off completely:
'sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjjGfk62nzW@M!W8VwBepYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

I will have to test this when I am at home.

jdaviescoates

@BrutalBirdie seems it has something to do with the % too (or perhaps that is the main culprit?)

Anyways, if I remove the % from:

sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&

It works with single quotes (but not without).

But with the % included it breaks the auth even with the single quotes.

jdaviescoates

But then this pw works fine too:

apwwith%&

So perhaps it a combination of having % ending with & and length as well?

But it can't be that either because this also works fine:

apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&apwwith%&

I've got to collect children from school now so will have to stop testing, hopefully @BrutalBirdie will be able to figure out what's going on!

girish

@jdaviescoates said in After updating password no credentials needed to login:

But this still turns auth off completely:
'sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjjGfk62nzW@M!W8VwBepYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

I can't reproduce this. This is what I have:

export LISTMONK_app__admin_username=admin
export LISTMONK_app__admin_password='sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

jdaviescoates

@girish said in After updating password no credentials needed to login:

export LISTMONK_app__admin_username=admin
export LISTMONK_app__admin_password='sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjjGfk62nzW@M!W8VwBepYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&'

Odd. I can reproduce it over and over again.

Just did so again:

Youtube Video

humptydumpty

@jdaviescoates I'm way off here but... my router's admin page auto logs me in at work if I'm signed in to my vault even though I have auto-fill disabled. Try logging in in a private window (or with all extensions disabled). It also happens to me on Costco dot com. Do you have the passwords saved in your vault?

Edit: I can't reproduce it either on a fresh install. I copied Girish's code like you did in your video. Works fine

Another thought, check Firefox's native password manager if it's still on and it's auto-filling the pass.

I can reproduce it if the code is like this:

export LISTMONK_app__admin_username=admin
export LISTMONK_app__admin_password=sBd@ni7fjTo2J3KGRKprGm@YXPxXh7FkJzhatxGgvKJ69gAKA^gu4zfBMYjj*Gfk62nzW@M!W8VwB*epYDtPp%QApFVELKmtwkY63LJYVv@DAsMHwxucNHYFjRxT&

Maybe it's a visual bug because of the double ' ' that gets auto-completed as you type ' in the web terminal at the end of the pass.

recording here: https://ufile.io/24rtfp8a (1MB).

jdaviescoates

@humptydumpty said in After updating password no credentials needed to login:

Try logging in in a private window (or with all extensions disabled).

Tried all that, and same in mobile browsers too.

BrutalBirdie

All I can say is that with single quotes all is working fine.
Tested and pushed by my trainee.

privsec

I am running into this myself.

I have used far more complicated combinations than the following, but I have it set
export LISTMONK_app__admin_username="Gently2729"
export LISTMONK_app__admin_password="ThemePavilionCare"

I have also tried
export LISTMONK_app__admin_username='Gently2729'
export LISTMONK_app__admin_password='ThemePavilionCare'

I am not prompted for a sign in with an incognito window

privsec

After many different tests, the username was the cause.

Once the username is all in lowercase, it would work.

girish

@privsec scary. I will test and put a warning in the docs and the config file.

girish

I can't really reproduce this. It works just fine with capital case usernames. I used the same creds as in the report:

export LISTMONK_app__admin_username="Gently2729"
export LISTMONK_app__admin_password="ThemePavilionCare"

BrutalBirdie

Maybe to reproduce this:

1. Correct Username + Broken Password
2. Same Username + Fixed Password
3. Still no login needed?

I will try this out.

girish

@BrutalBirdie Thanks. Also, this has to be reported upstream because this auth code is by them and not Cloudron.

BrutalBirdie

Could not reproduce at all.
very strange. Maybe @privsec needs to share the exact steps to this issue.

jdaviescoates

I'm thinking perhaps the issue is actually that logging out doesn't seem to actually log you out (at least in Firefox with the plugins I use - not tested elsewhere yet), see:

Youtube Video

jdaviescoates

I did a bit more testing.

@privsec are you using the Bitwarden browser extension?

Because further testing seems to suggest if that is enabled and I'm logged into it, then it somehow it magically logs into Listmonk without any interaction from me at all.

If I disable the Bitwarden plugin then I'm prompted to login after logging out.

privsec

@jdaviescoates I am/was

I cant reproduce it either.

Im not sure what and how this occurred, but once I used a lowercase username I was prompted to sign in on every attempt.

So... IDK
ヽ( ｡ ヮﾟ)ノ

jdaviescoates

@privsec said in After updating password no credentials needed to login:

Im not sure what and how this occurred, but once I used a lowercase username I was prompted to sign in on every attempt.

Odd, because my username is lowercase too, and if I have Bitwarden enabled and logged in I am never prompted to login