Security issue with the panel?

My username is something like this;

Y#2@:3:{|c2%-E3f$6a3=f^OeF-3g5."B6c&4'688dW2*r@V-A]3)3z164@[qpQI

When I log in using this username, but with an additional / character at the end, I am still able to login.

This works with every username, so username test is the same as username test/

Is this done by purpose?

I mean, username foo can not be the same as username foo/ but both are accepted once foo is set.


To be clear, this is about my username, my password is something like this;

2'7902'5P[5.4P+F84L<9l|+$lt35p|50)8N}qE<wYC04{*.920<XH90|o3#B33 t8k4?1**5?)E8693y983C14#3+/)92z001){h3B93^5(@6Ne"Sy*.&?8m7'10#.q^ 8,bk@92 92<Hm9>b\\=m@KZH>8#:3R3311 "N&Z2\!.L1$8/Co[^K*1688]^|.5590C]&45~81=66):9]5d56l9})'+1N[%9=[62k27d2) -&&!5.~:58?,@=NY0mRwCrOmfAPRmgzsqnXOEMsWBbBpOeqJNnzIgcvMaVyhpCNkPKzdCqwDIKbddYexTPwrMlUVLmernESkdfRMWeMrKPGZvZaRSfDKJQayQSkhlbmf


Call me paranoid, but it’s all about security… an username with an additional character can never be accepted as the same username without it.

What panel version are you using?

Kirby 2.1.1 sanitizes user names, so a user name like “Y#2@:3:{|c2%” will result in “y-2-3-c2” in your account file, so “foo” will be the same as “foo” because “foo” is not allowed.

1 Like

That clears a lot - thanks!

I will prevend creating usernames containg the backslash character in the future.

BTW. I am using panel 2.1.1

Instead of using complex usernames and passwords, I recommend using long alphanumeric ones. These passwords are nearly equally secure:

=s7ozmN33X[Ww;#gkra](tvAxNQL,u%JgTP633Dd,fAyk*LT
VCq7j8QGwHFAixo6zYVA8QYRCgsZb2p6NNUZVjwDLCZ6h4J7
Thisisalongpasswordthatcanactuallyberemberedyeah

The advantage of alphanumeric usernames/passwords is that they are supported everywhere and you can remember them.

I know, but I prefer complex credentials - generated from https://strongpasswordgenerator.com/ (both username and password).

I save them on an encrypted disk, made invisible in my system and stored in Keepass…