[bug]: Can't use password with an ampersand for logging into the web gui. Invalid Credentials.

[MatthewLJensen]

FreePBX Version

FreePBX 17

Issue Description

When using usermanagment authentication and logging in with a user that has gui privileges, passwords with an ampersand are not processed properly and rejected when they shouldn't be. I suspect it's a problem with how the password field encodes the password before posting it to the server.

Operating Environment

FreePBX 17

+---------------------+------------+---------+-------------+-----------+
| Module              | Version    | Status  | License     | Signature |
+---------------------+------------+---------+-------------+-----------+
| accountcodepreserve | 17.0.0.1   | Enabled | GPLv2       | Sangoma   |
| adv_recovery        | 17.0.4     | Enabled | Commercial  | Sangoma   |
| allowlist           | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| amd                 | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| announcement        | 17.0.2.1   | Enabled | GPLv3+      | Sangoma   |
| api                 | 17.0.1.6   | Enabled | AGPLv3+     | Sangoma   |
| areminder           | 17.0.3.10  | Enabled | Commercial  | Sangoma   |
| arimanager          | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| asterisk-cli        | 17.0.2     | Enabled | GPLv3+      | Sangoma   |
| asteriskinfo        | 17.0.2     | Enabled | GPLv3+      | Sangoma   |
| backup              | 17.0.5.60  | Enabled | GPLv3+      | Sangoma   |
| blacklist           | 17.0.1.2   | Enabled | GPLv3+      | Sangoma   |
| broadcast           | 17.0.1.6   | Enabled | Commercial  | Sangoma   |
| builtin             |            | Enabled |             | Unsigned  |
| bulkhandler         | 17.0.5     | Enabled | GPLv3+      | Sangoma   |
| calendar            | 17.0.4.20  | Enabled | GPLv3+      | Sangoma   |
| callaccounting      | 17.0.5     | Enabled | Commercial+ | Sangoma   |
| callback            | 17.0.2.1   | Enabled | GPLv3+      | Sangoma   |
| callerid            | 17.0.1     | Enabled | Commercial  | Sangoma   |
| callforward         | 17.0.1.6   | Enabled | AGPLv3+     | Sangoma   |
| calllimit           | 17.0.1.2   | Enabled | Commercial  | Sangoma   |
| callrecording       | 17.0.3.7   | Enabled | AGPLv3+     | Sangoma   |
| callwaiting         | 17.0.3.4   | Enabled | GPLv3+      | Sangoma   |
| cdr                 | 17.0.4.22  | Enabled | GPLv3+      | Sangoma   |
| cdrpro              | 17.0.3.21  | Enabled | Commercial  | Sangoma   |
| cel                 | 17.0.2.9   | Enabled | GPLv3+      | Sangoma   |
| certman             | 17.0.3.13  | Enabled | AGPLv3+     | Sangoma   |
| cidlookup           | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| conferences         | 17.0.3.2   | Enabled | GPLv3+      | Sangoma   |
| conferencespro      | 17.0.1.7   | Enabled | Commercial  | Sangoma   |
| configedit          | 17.0.1.4   | Enabled | AGPLv3+     | Sangoma   |
| contactmanager      | 17.0.5.11  | Enabled | GPLv3+      | Sangoma   |
| core                | 17.0.17    | Enabled | GPLv3+      | Sangoma   |
| cos                 | 17.0.1.1   | Enabled | Commercial  | Sangoma   |
| customappsreg       | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| customcontexts      | 17.0.1.3   | Enabled | GPLv2+      | Sangoma   |
| dashboard           | 17.0.4.5   | Enabled | AGPLv3+     | Sangoma   |
| daynight            | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| dictate             | 17.0.1.2   | Enabled | GPLv3+      | Sangoma   |
| directory           | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| disa                | 17.0.5     | Enabled | AGPLv3+     | Sangoma   |
| donotdisturb        | 17.0.2.3   | Enabled | GPLv3+      | Sangoma   |
| dynroute            | 17.0.3.2   | Enabled | GPLv3+      | Sangoma   |
| endpoint            | 17.0.1.87  | Enabled | Commercial  | Sangoma   |
| extensionroutes     | 17.0.1     | Enabled | Commercial  | Sangoma   |
| extensionsettings   | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| fax                 | 17.0.3.4   | Enabled | GPLv3+      | Sangoma   |
| faxpro              | 17.0.1.19  | Enabled | Commercial  | Sangoma   |
| featurecodeadmin    | 17.0.2     | Enabled | GPLv3+      | Sangoma   |
| filestore           | 17.0.2.30  | Enabled | AGPLv3      | Sangoma   |
| findmefollow        | 17.0.4.10  | Enabled | GPLv3+      | Sangoma   |
| firewall            | 17.0.1.26  | Enabled | AGPLv3+     | Sangoma   |
| framework           | 17.0.19.13 | Enabled | GPLv2+      | Sangoma   |
| hotelwakeup         | 17.0.1.6   | Enabled | GPLv2       | Sangoma   |
| iaxsettings         | 17.0.1     | Enabled | AGPLv3      | Sangoma   |
| infoservices        | 17.0.1.1   | Enabled | GPLv2+      | Sangoma   |
| ivr                 | 17.0.8     | Enabled | GPLv3+      | Sangoma   |
| languages           | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| logfiles            | 17.0.3.3   | Enabled | GPLv3+      | Sangoma   |
| manager             | 17.0.6     | Enabled | GPLv2+      | Sangoma   |
| miscapps            | 17.0.3     | Enabled | GPLv3+      | Sangoma   |
| miscdests           | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| missedcall          | 17.0.1.2   | Enabled | GPLv3+      | Sangoma   |
| music               | 17.0.5     | Enabled | GPLv3+      | Sangoma   |
| outcnam             | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| outroutemsg         | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| paging              | 17.0.3     | Enabled | GPLv3+      | Sangoma   |
| pagingpro           | 17.0.1.6   | Enabled | Commercial  | Sangoma   |
| parking             | 17.0.2.5   | Enabled | GPLv3+      | Sangoma   |
| parkpro             | 17.0.1.4   | Enabled | Commercial  | Sangoma   |
| pbxmfa              | 17.0.2.3   | Enabled | Commercial+ | Sangoma   |
| phpinfo             | 17.0.1     | Enabled | GPLv2+      | Sangoma   |
| pinsets             | 17.0.3.2   | Enabled | GPLv3+      | Sangoma   |
| pinsetspro          | 17.0.2     | Enabled | Commercial  | Sangoma   |
| pm2                 | 17.0.3.3   | Enabled | AGPLv3+     | Sangoma   |
| pms                 | 17.0.2.30  | Enabled | Commercial  | Sangoma   |
| presencestate       | 17.0.2.4   | Enabled | GPLv3+      | Sangoma   |
| printextensions     | 17.0.1.2   | Enabled | GPLv3+      | Sangoma   |
| queueprio           | 17.0.1.4   | Enabled | GPLv3+      | Sangoma   |
| queues              | 17.0.1.12  | Enabled | GPLv2+      | Sangoma   |
| queuestats          | 17.0.1.7   | Enabled | Commercial  | Sangoma   |
| qxact_reports       | 17.0.3     | Enabled | Commercial  | Sangoma   |
| recording_report    | 17.0.3.8   | Enabled | Commercial  | Sangoma   |
| recordings          | 17.0.2.2   | Enabled | GPLv3+      | Sangoma   |
| restapps            | 17.0.1.24  | Enabled | Commercial  | Sangoma   |
| ringgroups          | 17.0.2.6   | Enabled | GPLv3+      | Sangoma   |
| sangomaconnect      | 17.0.1.39  | Enabled | Commercial  | Sangoma   |
| sangomacrm          | 17.0.1.16  | Enabled | Commercial  | Sangoma   |
| sangomartapi        | 17.0.2.12  | Enabled | Commercial  | Sangoma   |
| setcid              | 17.0.1.2   | Enabled | GPLv3+      | Sangoma   |
| sipsettings         | 17.0.6.9   | Enabled | AGPLv3+     | Sangoma   |
| sipstation          | 17.0.3.4   | Enabled | Commercial  | Sangoma   |
| sms                 | 17.0.1.15  | Enabled | Commercial  | Sangoma   |
| smsplus             | 17.0.3     | Enabled | Commercial  | Sangoma   |
| soundlang           | 17.0.4.1   | Enabled | GPLv3+      | Sangoma   |
| superfecta          | 17.0.2.1   | Enabled | GPLv2+      | Sangoma   |
| sysadmin            | 17.0.1.96  | Enabled | Commercial  | Sangoma   |
| timeconditions      | 17.0.1.18  | Enabled | GPLv3+      | Sangoma   |
| tts                 | 17.0.1.1   | Enabled | GPLv3+      | Sangoma   |
| ttsengines          | 17.0.1     | Enabled | AGPLv3      | Sangoma   |
| ucp                 | 17.0.4.23  | Enabled | AGPLv3+     | Sangoma   |
| userman             | 17.0.6.28  | Enabled | AGPLv3+     | Sangoma   |
| vmblast             | 17.0.2     | Enabled | GPLv3+      | Sangoma   |
| vmnotify            | 17.0.1.7   | Enabled | Commercial  | Sangoma   |
| voicemail           | 17.0.5.22  | Enabled | GPLv3+      | Sangoma   |
| voicemail_report    | 17.0.1.1   | Enabled | Commercial  | Sangoma   |
| voipinnovations     | 17.0.1.4   | Enabled | Commercial  | Sangoma   |
| vqplus              | 17.0.1.17  | Enabled | Commercial  | Sangoma   |
| weakpasswords       | 17.0.1     | Enabled | GPLv3+      | Sangoma   |
| webcallback         | 17.0.4     | Enabled | Commercial  | Sangoma   |
| webrtc              | 17.0.2.2   | Enabled | GPLv3+      | Sangoma   |
+---------------------+------------+---------+-------------+-----------+

Relevant log output

No response

[prasanthcode4]

HI,

I tested the UCP login and was able to successfully login in using a password that includes an ampersand. Could you please provide more details about the issue you're experiencing? If possible, kindly share any screenshots or additional information that might help us understand the problem better.

[MatthewLJensen]

Sorry it took a while for me to reply here. I'm referring to the FreePBX Admin login, not the UCP.

[kguptasangoma]

and share type of password you are using so we can try to use the exact same to reproduce the issue @MatthewLJensen ?

[MatthewLJensen]

I'm using the usermanager authorization type. I've got a user with FreePBX Administration GUI Admin privileges.

Here's a sample password I just tested: h94cysYehQOJjkd I can log in when the user has this password, but when I add an ampersand to the end like so: h94cysYehQOJjkd& I am no longer able to log in. I get a banner at the top of 'FreePBX Administration' login page in red saying 'Invalid Login Credentials'.

Please let me know if you need further information to reproduce the problem.

[prasanthcode4]

@MatthewLJensen Thank you for your response, i will check with this detail , If I need any further details, I will reach out.