Bug #93696 for Net-SugarCRM: Should password be md5

Mon Mar 10 01:43:03 2014 damo [...] launtel.net.au - Ticket created

Subject:	Should password be md5_hex?
Date:	Mon, 10 Mar 2014 16:42:43 +1100
To:	bug-Net-SugarCRM [...] rt.cpan.org
From:	Damian Ivereigh <damo [...] launtel.net.au>

Hi, I found I had to send through the md5_hex version of the password rather than the plain text to allow me to log into my server. I only figured this out by looking at the sugar examples. Not sure if this is a limitation of the documentation (you don't mention it and the tutorial uses an obviously plaintext password) or whether you should be passing the password through md5_hex before sending it to the rest.php stuff. Thanks Damian -- Launtel - We're at your call Tel: 1800LAUNTEL (1800528683) Mob: 0418217582 Fax: 1300784109 http://www.launtel.net.au

Mon Mar 10 01:54:34 2014 NITO [...] cpan.org - Correspondence added

Hi Damian, Not sure what might be happening, I am definitely using the plain version text of the password. Questions: - What version of SugarCRM are you using? - Are you using an Admin user? There is a test in t/10-login.t that you can use to try. For that you need to: a) Set environment var TEST_AUTHOR_SUGAR export TEST_AUTHOR_SUGAR=1 b) Define your connection properties in t/lib/defaults.pl, for this case at least the following variables are needed: $loging $pass $url I usually try it by hand with perl -t -Ilib t/10-login.t Let me know if these hints helped, and if it something related to a SugarCRM config that I didn't test. Best Regards, El Lun Mar 10 01:43:03 2014, damo@launtel.net.au escribió: Show quoted text

> Hi, > > I found I had to send through the md5_hex version of the password rather > than the plain text to allow me to log into my server. I only figured > this out by looking at the sugar examples. > > Not sure if this is a limitation of the documentation (you don't mention > it and the tutorial uses an obviously plaintext password) or whether you > should be passing the password through md5_hex before sending it to the > rest.php stuff. > > Thanks > > Damian >

Mon Mar 10 01:54:34 2014 The RT System itself - Status changed from 'new' to 'open'

Mon Mar 10 14:03:57 2014 damo [...] launtel.net.au - Correspondence added

Subject:	Re: [rt.cpan.org #93696] Should password be md5_hex?
Date:	Tue, 11 Mar 2014 05:03:32 +1100
To:	bug-Net-SugarCRM [...] rt.cpan.org
From:	Damian Ivereigh <damo [...] launtel.net.au>

Hi Nito, I am using SugarCRM version 6.5.16 PRO. The user I am using is an administrator. I followed your test instructions. I set the $login and $pass. With $pass='mypassword'; the test is failing with Error getting id <200 OK> fetching $VAR1 = '{"name":"Invalid Login","number":10,"description":"Login attempt failed please check the username and password"}'; Whereas if I set $pass=md5_hex('mypassword'); It works fine. The article I found on which shows the logging in process is here: http://support.sugarcrm.com/04_Find_Answers/03_Developers/100Web_Services/100REST_API/100Examples/100PHP/Logging_In_-_REST_and_PHP Just been doing some more digging around in the SugarCRM source - in particular SugarWebServiceImplv4.php - it appears that if you set encryption => 'PLAIN' in the user_auth hash - this will tell the server to accept a plaintext password. I have tried this out (patch attached) and it works. Having said that I would have thought it would be more secure to send the MD5 password over the wire. If you need me to create a username and password on our server for you test, I can do that for a short period - unfortunately being PRO we get charged for each active login. All the best, Damian On Mon, 2014-03-10 at 01:54 -0400, Nito Martinez via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=93696 > > > Hi Damian, > > Not sure what might be happening, I am definitely using the plain version text of the password. > > Questions: > > - What version of SugarCRM are you using? > - Are you using an Admin user? > > There is a test in t/10-login.t that you can use to try. For that you need to: > > a) Set environment var TEST_AUTHOR_SUGAR > export TEST_AUTHOR_SUGAR=1 > > b) Define your connection properties in t/lib/defaults.pl, for this case at least the following variables are needed: > > $loging > $pass > $url > > I usually try it by hand with > > perl -t -Ilib t/10-login.t > > Let me know if these hints helped, and if it something related to a SugarCRM config that I didn't test. > > Best Regards, > > > > > > El Lun Mar 10 01:43:03 2014, damo@launtel.net.au escribió:

> > Hi, > > > > I found I had to send through the md5_hex version of the password rather > > than the plain text to allow me to log into my server. I only figured > > this out by looking at the sugar examples. > > > > Not sure if this is a limitation of the documentation (you don't mention > > it and the tutorial uses an obviously plaintext password) or whether you > > should be passing the password through md5_hex before sending it to the > > rest.php stuff. > > > > Thanks > > > > Damian > >

> >

-- Launtel - We're at your call Tel: 1800LAUNTEL (1800528683) Mob: 0418217582 Fax: 1300784109 http://www.launtel.net.au

Message body is not shown because sender requested not to inline it.

Mon Mar 10 15:02:41 2014 NITO [...] cpan.org - Correspondence added

I have tested against several community version 6.4.x and 6.5.x (currently using 6.5.12) and this is not happening with my app. After digging a bit around, it seems that the encryption plain is as you say in SugarWebServiceImplv4.php Could you do a small test and try the v4_1 url? In my case (community version 6.5.12) this is in source code ./service/v4_1/SugarWebServiceImplv4_1.php and the url that I use is: sugarcrm.url=http://app.qindel.com/sugarcrm/service/v4_1/rest.php Could you check this url out in the pro version? In any case happy to add the patch :-)

Tue Mar 11 07:08:32 2014 NITO [...] cpan.org - Correspondence added

Just uploaded 3.23126 with the patch. Thanks for the contribution El Lun Mar 10 15:02:41 2014, NITO escribió: Show quoted text

> > > I have tested against several community version 6.4.x and 6.5.x > (currently using 6.5.12) and this is not happening with my app. > > After digging a bit around, it seems that the encryption plain is as > you say in SugarWebServiceImplv4.php > > Could you do a small test and try the v4_1 url? > > In my case (community version 6.5.12) this is in source code > ./service/v4_1/SugarWebServiceImplv4_1.php and the url that I use is: > > sugarcrm.url=http://app.qindel.com/sugarcrm/service/v4_1/rest.php > > Could you check this url out in the pro version? > > In any case happy to add the patch :-)

Tue Mar 11 07:08:34 2014 NITO [...] cpan.org - Status changed from 'open' to 'patched'

Wed Mar 12 00:16:16 2014 damo [...] launtel.net.au - Correspondence added

Subject:	Re: [rt.cpan.org #93696] Should password be md5_hex?
Date:	Wed, 12 Mar 2014 15:15:59 +1100
To:	bug-Net-SugarCRM [...] rt.cpan.org
From:	Damian Ivereigh <damo [...] launtel.net.au>

Hi Nito, Sorry I didn't back to you. I tried it against v4_1 with exactly the same result as v4 - which is not surprising given that v4_1 just "requires" v4 and does not override any of the login code. What is a bit surprising is that given the way that SugarWebServiceImplv4 works when it receives the encryption=>'PLAIN' parameter - i.e. it just encodes it with md5 before passing it onto the authentication routines - I am surprised that adding this parameter doesn't break your existing (CE) connections. That is assuming that CE has the same code in SugarWebServiceImplv4.php Damian On Tue, 2014-03-11 at 07:08 -0400, Nito Martinez via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=93696 > > > > Just uploaded 3.23126 with the patch. > > Thanks for the contribution > > El Lun Mar 10 15:02:41 2014, NITO escribió:

> > > > > > I have tested against several community version 6.4.x and 6.5.x > > (currently using 6.5.12) and this is not happening with my app. > > > > After digging a bit around, it seems that the encryption plain is as > > you say in SugarWebServiceImplv4.php > > > > Could you do a small test and try the v4_1 url? > > > > In my case (community version 6.5.12) this is in source code > > ./service/v4_1/SugarWebServiceImplv4_1.php and the url that I use is: > > > > sugarcrm.url=http://app.qindel.com/sugarcrm/service/v4_1/rest.php > > > > Could you check this url out in the pro version? > > > > In any case happy to add the patch :-)

> >

-- Launtel - We're at your call Tel: 1800LAUNTEL (1800528683) Mob: 0418217582 Fax: 1300784109 http://www.launtel.net.au

Wed Mar 12 03:25:26 2014 NITO [...] cpan.org - Correspondence added

Hi Damian, good point, In the community edition there are a lot of differences in v4 vs v4_1. Also as I see I am using the Ldapauthenticator, which makes a shortcut... See below: root@localhost /var/www/sugarcrm # diff -u ./service/v4_1/SugarWebServiceUtilv4_1.php ./service/v4/SugarWebServiceImplv4.php | wc -l 833 root@localhost /var/www/sugarcrm # grep -i encryption ./service/v4/SugarWebServiceImplv4.php if(!empty($user_auth['encryption']) && $user_auth['encryption'] === 'PLAIN' && $authController->authController->userAuthenticateClass != "LDAPAuthenticateUser") && (empty($user_auth['encryption']) || $user_auth['encryption'] !== 'PLAIN' ) ) && (empty($user_auth['encryption']) || $user_auth['encryption'] == 'PLAIN' ) ) root@localhost /var/www/sugarcrm # grep -i encryption ./service/v4_1/SugarWebServiceImplv4_1.php root@localhost /var/www/sugarcrm # I will add an optional parameter to Net::SugarCRM to set the encryption mode, which should be safer than always setting the encryption setting. I have also added some documentation and a test in version 3.23133 (just uploaded). El Mié Mar 12 00:16:16 2014, damo@launtel.net.au escribió: Show quoted text

> Hi Nito, > > Sorry I didn't back to you. I tried it against v4_1 with exactly the > same result as v4 - which is not surprising given that v4_1 just > "requires" v4 and does not override any of the login code. > > What is a bit surprising is that given the way that > SugarWebServiceImplv4 works when it receives the encryption=>'PLAIN' > parameter - i.e. it just encodes it with md5 before passing it onto the > authentication routines - I am surprised that adding this parameter > doesn't break your existing (CE) connections. That is assuming that CE > has the same code in SugarWebServiceImplv4.php > > Damian > > > On Tue, 2014-03-11 at 07:08 -0400, Nito Martinez via RT wrote:

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=93696 > > > > > > > Just uploaded 3.23126 with the patch. > > > > Thanks for the contribution > > > > El Lun Mar 10 15:02:41 2014, NITO escribió:

> > > > > > > > > I have tested against several community version 6.4.x and 6.5.x > > > (currently using 6.5.12) and this is not happening with my app. > > > > > > After digging a bit around, it seems that the encryption plain is as > > > you say in SugarWebServiceImplv4.php > > > > > > Could you do a small test and try the v4_1 url? > > > > > > In my case (community version 6.5.12) this is in source code > > > ./service/v4_1/SugarWebServiceImplv4_1.php and the url that I use is: > > > > > > sugarcrm.url=http://app.qindel.com/sugarcrm/service/v4_1/rest.php > > > > > > Could you check this url out in the pro version? > > > > > > In any case happy to add the patch :-)

> > > >

>

Wed Mar 12 03:25:26 2014 NITO [...] cpan.org - Fixed in 3.23126 added

Fri Mar 14 08:03:22 2014 NITO [...] cpan.org - Correspondence added

Updated in version 3.23133

Fri Mar 14 08:03:23 2014 NITO [...] cpan.org - Status changed from 'patched' to 'resolved'

Fri Mar 14 08:03:23 2014 NITO [...] cpan.org - Fixed in 3.23133 added

Fri Mar 14 08:03:23 2014 NITO [...] cpan.org - Fixed in 3.23126 deleted

Bug #93696 for Net-SugarCRM: Should password be md5_hex?