Special Characters in Full Name Field Prevent Dovecot Login in Apiscp

Version of apnscp : 9e159f6fae0d12f0aadcd5f1ba1e7a175b7d2706
RHEL or CentOS Version : Rocky Linux release 8.8 (Green Obsidian)

Bug Description :

When a user is created with a full name containing special characters and symbols, such as “Rävulen & Musifers Kattanistiska Sälskap / The Catanic Congregation of Lucifox and Mousifer”, the user fails to login to Dovecot. The error displayed in apiscp states “Authenticated user not found from userdb”.

Steps to Reproduce :

  1. Create a user with Full name: “Rävulen & Musifers Kattanistiska Sälskap / The Catanic Congregation of Lucifox and Mousifer”.
  2. Attempt to login to Dovecot.
  3. Observe the “Authenticated user not found from userdb” error.

Workaround : Changing the Full name to a simpler string without special characters and symbols, like “test”, resolves the issue, allowing the user to login successfully.

Additional Information :

  • Potential security implications should be evaluated. If special characters are mishandled or improperly sanitized, there may be potential for user enumeration, or even injection attacks if other parts of the system are equally lax in character handling.
  • It’s also worth noting that the use of certain characters like “&”, “/”, etc., in critical system files such as /etc/passwd can lead to unpredictable behavior in scripts or programs that parse these files. If these characters are interpreted in ways not expected, it could potentially compromise the integrity or behavior of the system.

Recommendation for Fix :

  1. Sanitize input fields, especially those that interact with system configurations, to ensure that unexpected characters are either disallowed or handled correctly.
  2. Provide feedback to the user upon account creation if the full name contains unsupported characters.
  3. Update documentation to specify any character limitations for the Full name field.
yum clean all
yum update -y dovecot

Dovecot has a fixed buffer length of 128 bytes, which results in an underrun on longer GECOS fields. Patched in latest release.