thayde3
New Member.
897 views

SSPR 4.1.0.3 Password Encoding Bug

Hello,

I've recently discovered a bug in SSPR version 4.1.0.3 where passwords generated by the random passwords function that contain an ampersand are not properly encoded. In the randomly generated password, the "&" gets expanded to "&" in the final password. I've already contacted support and they are filing a bug report, but I wanted to share my findings and my current workaround as this issue had been generating a lot of user support tickets for us.

The behavior occurs in both the normal Change Password module and in the Service Desk module. The encoding is visible in the Change Password module, but is invisible in the Service Desk module.

For example, if a service desk technician selects the password "Test&" from the list of randomly generated passwords, they will receive the normal dialog that states the user's password has been changed to "Test&". However, the password that actually gets pushed into the downstream directory is "Test&"

In the Change Password module, selecting the randomly generated password "Test&" from the list will insert "Test&" into the password box and the user would have to enter the password a second time to confirm, so at least what is happening is visible to the user in this case.

To work around this issue, we've added "&" to the disallowed values in each of our password policies defined in SSPR. This prevents the random password generator from generating passwords containing the symbol.

Per MicroFocus support, the bug is also present in the latest 4.1.0.4 patch as well.
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1.0.3 Password Encoding Bug

Great feedback. Thank-you for sharing these details, including the
workaround, so hat others can avoid the issue if they encounter it. If
you get a Bug number, or a TID number, please feel free to share those as
well so we know where to look for updates from Micro Focus, and for a
final fix in the list of resolved issues on subsequent patches..

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1.0.3 Password Encoding Bug

On 6/8/2017 9:51 AM, ab wrote:
> Great feedback. Thank-you for sharing these details, including the
> workaround, so hat others can avoid the issue if they encounter it. If
> you get a Bug number, or a TID number, please feel free to share those as
> well so we know where to look for updates from Micro Focus, and for a
> final fix in the list of resolved issues on subsequent patches..


Any other characters with this same escaping problem, or is it just
ampersand?

0 Likes
thayde3
New Member.

Re: SSPR 4.1.0.3 Password Encoding Bug

I've tested with a number of other special characters, but I've only experienced the issue with the ampersand.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1.0.3 Password Encoding Bug

On 6/8/2017 10:34 AM, thayde3 wrote:
>
> I've tested with a number of other special characters, but I've only
> experienced the issue with the ampersand.


I guess that makes sense, since ampersand is the beginning of the escape
character string.


0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1.0.3 Password Encoding Bug

On 06/08/2017 09:11 AM, Geoffrey Carman wrote:
> On 6/8/2017 10:34 AM, thayde3 wrote:
>>
>> I've tested with a number of other special characters, but I've only
>> experienced the issue with the ampersand.

>
> I guess that makes sense, since ampersand is the beginning of the escape
> character string.


Perhaps, but since that is HTML encoding, it would be prudent to test
other things commonly encoded via the same functions, such as less-than,
greater-than, and maybe double-byte characters. It's possible there was
an extra search/replace for ampersands coded in there, but there may also
be a call to an encode-everything-that-should-be-for-HTML in which case a
lot of things may be fouled up.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
joelburke Respected Contributor.
Respected Contributor.

Re: SSPR 4.1.0.3 Password Encoding Bug

We also discovered that SSPR was HTML encoding characters in the embedded javascript. This completely broke our application because we use the js to manipulate the DOM on each page. The latest version of SSPR fixed this bug, but it seems like the application is trying to encode a lot of the information that gets outputted to the page.
0 Likes
thayde3
New Member.

Re: SSPR 4.1.0.3 Password Encoding Bug

ab;2459224 wrote:
Great feedback. Thank-you for sharing these details, including the
workaround, so hat others can avoid the issue if they encounter it. If
you get a Bug number, or a TID number, please feel free to share those as
well so we know where to look for updates from Micro Focus, and for a
final fix in the list of resolved issues on subsequent patches..


I received the bug number from support. It is #1043222.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.