Bug: MySQL Password Escaping

**Starlight** · Aug 1st 2016

Version: i-MSCP 1.3.0
SQL Server: MySQL / MariaDB (remote server)

Problem
On installation / upgrade, in I-MSCP 1.3.0 a new config file will be created for mysqldump: /etc/mysql/conf.d/imscp.cnf. Inside this config file, the Password is escaped:

Code

[mysqldump]
host = <hostname>
port = 3306
user = "imscp_user"
password = "'<password>'"

The escaping might be done due to special characters such as "#[([])}~^-+", however, it makes the dump stop working with following error message:

Quote

An error has been raised while executing function main::run in/var/www/imscp/engine/backup/imscp-backup-all:iMSCP::Database::mysql::dumpdb: mysqldump: Got error: 1045: Access deniedfor user 'imscp_user'@'<host>' (using password: YES) when trying toconnect

Workaround
Delete additional single quotes (') inside the password string.

Fix
Remove escapeShell() all from line 188 in Servers::sqld::remote_server.pm.

**Nuxwin** · Aug 2nd 2016

Benedikt,

Normally, only double quotes are escaped and the final password shouldn't be surrounded with single quotes:

Perl

(my $pwd = decryptBlowfishCBC( $main::imscpDBKey, $main::imscpDBiv, $main::imscpConfig{'DATABASE_PASSWORD'} ) ) =~ s/"/\\"/g;

See https://github.com/i-MSCP/imsc…d/mysql/installer.pm#L247

Could you say us what was the password exactly (PM if you prefer).

Thanks.

**Nuxwin** · Aug 2nd 2016

@Starlight

I've just tried to reproduce the issue with the 1.3.x branch:

Shell-Script

# perl imscp-autoinstall -dasr sql

Password set to ouch'ouch"ouch

Resulting file:

PHP

[mysqldump]host = localhostport = 3306user = "imscp_user"password = "ouch'ouch\"ouch"[mysqld]event_scheduler = DISABLEDdefault_password_lifetime = 0innodb_use_native_aio = 1performance_schema = 0sql_mode = "NO_AUTO_CREATE_USER"[mysql_upgrade]host = localhostport = 3306user = "imscp_user"password = "ouch'ouch\"ouch"socket = /var/run/mysqld/mysqld.sock

As you can see here, only the double quotes are escaped. Then, result of a dump (I use the imscp-backup-imscp script here but the result would be same with the imscp-backup-all script):

Shell-Script

root@srv1:/usr/local/src/imscp# perl /var/www/imscp/engine/backup/imscp-backup-imscp -v
[DEBUG] iMSCP::Bootstrapper::lock: Acquire exclusive lock on /tmp/imscp-backup-imscp.lock
[DEBUG] iMSCP::Bootstrapper::boot: Booting backend....
[DEBUG] iMSCP::Config::_init: Tying /etc/imscp/imscp.conf file
[DEBUG] iMSCP::Database::mysql::dumpdb: Dump `imscp` database into /var/www/imscp/backups/imscp-2016.08.02-09-19.sql
[DEBUG] iMSCP::Config::_init: Tying /etc/imscp/mysql/mysql.data file
[DEBUG] iMSCP::Execute::execute: mysqldump --defaults-file='/etc/mysql/conf.d/imscp.cnf' --opt --complete-insert --add-drop-database --allow-keywords --compress --default-character-set=utf8 --quote-names --result-file='/var/www/imscp/backups/imscp-2016.08.02-09-19.sql' imscp
[DEBUG] iMSCP::Execute::execute: bzip2 -1 --force '/var/www/imscp/backups/imscp-2016.08.02-09-19.sql'
[DEBUG] iMSCP::Execute::execute: tar -c -C /etc/imscp --exclude=?*[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] --preserve-permissions . | bzip2 -1 > /var/www/imscp/backups/config-backup-2016.08.02-09-19.tar.bz2
[DEBUG] iMSCP::Execute::execute: find /var/www/imscp/backups/* -maxdepth 0 -type f -mtime +7 -print | xargs -r rm
[DEBUG] iMSCP::Bootstrapper::unlock: Releasing exclusive lock on /tmp/imscp-backup-imscp.lock

Display More

**Nuxwin** · Aug 2nd 2016

@Starlight

Could you also give us the content of the /etc/imscp/mysql/imscp.cnf file on your system?

Should normally look like https://github.com/i-MSCP/imsc….3.0/configs/debian/mysql (with 1.3.0)

Thanks.

**Starlight** · Aug 2nd 2016

Dear @Nuxwin,

the file "/etc/imscp/mysql/imscp.cnf" has the right content:

Code

[mysqldump]
host = {DATABASE_HOST}
port = {DATABASE_PORT}
user = "{DATABASE_USER}"
password = "{DATABASE_PASSWORD}"

Did you try passwords with #~()?

**Nuxwin** · Aug 5th 2016

@Starlight

Yes and I cannot confirm the problem. Please try with last 1.3.x on vm.

Thank you.

**Starlight** · Oct 26th 2016

@Nuxwin, could it be, that the encrypted database string in /etc/imscp/imscp.conf has the extra chars already? How to I decrypt or create a new encrypted string without re-running the installation?

It is re-producible after every update.

**Nuxwin** · Oct 27th 2016

Quote from Starlight

could it be, that the encrypted database string in /etc/imscp/imscp.conf has the extra chars already?

You mean, escape characters?

Quote from Starlight

How to I decrypt or create a new encrypted string without re-running the installation?

By coding a little script. See the attachment or pastbin link below

Pastbin link: http://pastebin.com/7fEFfAb7

handle_passwd.pl

**Starlight** · Oct 29th 2016

Quote from Nuxwin

By coding a little script. See the attachment or pastbin link below

I thought so, I should have asked a more precise question.

Quote from Nuxwin

Pastbin link: http://pastebin.com/7fEFfAb7

Wow, thank you for creating this. Result: The encrypted password is the original password without any additional escape chars. Nonetheless, the extra ' are added by the setup / upgrade script.

I compared your script with the with the Servers::sqld::Remote_Server.pl and found a small but important difference:

Perl: remote_server.pm

$rs ||= $self->{'eventManager'}->trigger( 'onLoadTemplate', 'mysql', 'imscp.cnf', \my $cfgTpl, { } );
return $rs if $rs;
unless (defined $cfgTpl) {
$cfgTpl = iMSCP::File->new( filename => "$self->{'cfgDir'}/imscp.cnf" )->get();
unless (defined $cfgTpl) {
error( sprintf( 'Could not read %s', "$self->{'cfgDir'}/imscp.cnf" ) );
return 1;
}
}
$cfgTpl = process(
{
DATABASE_HOST => $main::imscpConfig{'DATABASE_HOST'},
DATABASE_PORT => $main::imscpConfig{'DATABASE_PORT'},
DATABASE_PASSWORD => escapeShell( decryptBlowfishCBC(
$main::imscpDBKey, $main::imscpDBiv, $main::imscpConfig{'DATABASE_PASSWORD'}
) ),
DATABASE_USER => $main::imscpConfig{'DATABASE_USER'},
}
,
$cfgTpl
);
my $file = iMSCP::File->new( filename => "$confDir/conf.d/imscp.cnf" );
$rs ||= $file->set( $cfgTpl );
$rs ||= $file->save();

Display More

In line 188 you are calling escapeShell() and this adds the additional chars around the string.

escapeShell() triggers always when the tested string contains other chars than [a-zA-Z0-9_\-].

The fix should be trivial and I do not see any security issues.

**Nuxwin** · Oct 29th 2016

@Starlight

Quote from Starlight

In line 188 you are calling escapeShell() and this adds the additional chars around the string.

escapeShell() triggers always when the tested string contains other chars than [a-zA-Z0-9_\-].

The fix should be trivial and I do not see any security issues.

Ah... in remote server implementation.... Ok I've just looked at MySQL implementation. I'll check and fix. Sorry for the misunderstanding.

Thank you for your investigations

Bug: MySQL Password Escaping

Share

Daily visitors