Password / Data Sanitization Bug

[gamestreams]

Hello, I just came across SMF. I just tried installing it 5 minutes ago, and came across an issue, that is bothersome, and thought I would bring it to your attention.

When installing the software, it asks for your network password several times, when I got to the end of creating the admin account, it asks for network password again. I pasted it as it was always in my buffer (created from a program that creates random generated tough passwords) and it failed to recognize the password..

After scratching my head for a while, i looked at the password and noticed that it has many characters programmers don't like because they cause issues with data security/sanitation..

looks something like this...

als($923j23\'sj824#24$42

I noticed the backslash and the ' and the dollar sign.. not sure which of these is the problem, but it definitely caused a password mismatch problem, and shows me that the data sanitation / database query system used on this software could be vulnerable and insecure. It's obviously having an issue comparing, so therefor something was done to the strings itself that can not be correct and safe way of doing this??

Can someone with more experience elaborate? I have not really checked source, but I am now skeptical and would like my tin foil hat removed before continuing using this software

[Arantor]

It's the ' and the escape character for it. For some reason this doesn't always work even though the storage method is performed correctly given how it is stored.

I'd suggest not having a ' in the password personally because MySQL itself doesn't always like it.

[gamestreams]

Yes, it's clearly mysql_real_escape_string being added and stored in the database, but not cleansed when retrieved.... Which if I was a hack, I reckon i would be poking my nose in here no? clearly maybe injecting ''s can lead to some sort of issue? I dunno, just wierd.. The most secure places out there, dont care what characters you use... I don't sit there and type in a password, i have a 64 bit string generated using anything it desires... which is the secure part of a password

[Burke ♞ Knight]

!`@|#'$~%"^&*

Those are actually not allowed in a lot of places, due to them screwing up with coding, and mysql.
I have a password generator that has those in section that is by default, turned off.

Certain characters are really not needed in passwords. Keeping it at 8-12 characters, A-Z, a-z, 0-9 and excluding similar, with minimum of 3 digits is good enough.

[Arantor]

Yes, it's clearly mysql_real_escape_string being added and stored in the database, but not cleansed when retrieved.... Which if I was a hack, I reckon i would be poking my nose in here no? clearly maybe injecting ''s can lead to some sort of issue? I dunno, just wierd.. The most secure places out there, dont care what characters you use... I don't sit there and type in a password, i have a 64 bit string generated using anything it desires... which is the secure part of a password

Um, that makes no sense. You can't store the database password (which is what the error is on) inside the database... (the user password is hashed without ever being passed through such, so it's just the database connection password... which you need to talk to the database which is stored in Settings.php)