Setting the adm password to 50 characters breaks the web UI completely

[terilekst]

Hi all

Me and a mate both got the ASUS RT-AC87U and we both immediately installed the latest asuswrt-merlin. He set his up just fine and we also set mine up fine. A few days later I wanted to change the admin password for the web UI and after that it suddenly started showing the following screen in Chrome:

Settings have been updated. Web page will now refresh.
Changes have been made to the IP address or port number. You will now be disconnected from RT-AC87U.
To access the settings of RT-AC87U, reconnect to the wireless network and use the updated IP address and port number.

I tried different browsers and also different devices but all of them immediately give a 404. The router itself however seems to keep working (wired, wifi) but just the web UI is completely broken. I tried restarting it and even that didn't work so I had no choice but to factory reset it.

Never thinking about the fact that it could be due to the password change I just set it up again. After having it completely set up I tried changing the password again and the exact same thing happened. Chrome shows that annoying page and all other devices/browsers simply give a 404.

I then asked my friend with the same router & firmware to try setting his password to 50 characters and his also broke down resulting in him being pissed of with me for breaking his router I was just glad to know that it is reproducible and that it indeed has something to do with the password change.

I tried googling it but didn't find anyone with the same problem so here I am. I am yet to confirm that the same issue is available when running the standard ASUS firmware but I already wanted to post this here to find out if this is known.

Thanks in advance!

 

[AdvHomeServer]

Just go with 49. You'll be OK. If not, try 48.

 

[netware5]

Hi all

Me and a mate both got the ASUS RT-AC87U and we both immediately installed the latest asuswrt-merlin. He set his up just fine and we also set mine up fine. A few days later I wanted to change the admin password for the web UI and after that it suddenly started showing the following screen in Chrome:

Settings have been updated. Web page will now refresh.
Changes have been made to the IP address or port number. You will now be disconnected from RT-AC87U.
To access the settings of RT-AC87U, reconnect to the wireless network and use the updated IP address and port number.

I tried different browsers and also different devices but all of them immediately give a 404. The router itself however seems to keep working (wired, wifi) but just the web UI is completely broken. I tried restarting it and even that didn't work so I had no choice but to factory reset it.

Never thinking about the fact that it could be due to the password change I just set it up again. After having it completely set up I tried changing the password again and the exact same thing happened. Chrome shows that annoying page and all other devices/browsers simply give a 404.

I then asked my friend with the same router & firmware to try setting his password to 50 characters and his also broke down resulting in him being pissed of with me for breaking his router I was just glad to know that it is reproducible and that it indeed has something to do with the password change.

I tried googling it but didn't find anyone with the same problem so here I am. I am yet to confirm that the same issue is available when running the standard ASUS firmware but I already wanted to post this here to find out if this is known.

Thanks in advance!

The "annoying" message is because of browser cache. It will happen every time you reboot the router. So, just clear the browser cache and everything will be fine. In Mozilla it is in menu "Tools>Options>Advanced>Network>Offline Web Content and user Data". In Chrome it should be something similar.

 

[terilekst]

Hi netware5

I've already read everything there is about that screen in Chrome and I already know and tried the fixes for Chrome but I think you missed out the most important part of my thread: the fact that I CANNOT access the web UI from ANY other device and or browser combination after changing the password.

Indeed Chrome will keep showing me that screen but any other device/browser simply returns a 404 so your solution really does not help a lot.

 

[rodak]

Are you sure you haven't changed you routers ip adress?

Sent from my LG-D802 using Tapatalk

 

[terilekst]

Hi Rodak

I'm absolutely sure because of the following facts which I already partially stated before:

- I can still ping the router
- Because the only change I did both times I broke the router was changing the password
- Because I broke my friends router after I explicitly asked him to just change his password to some 50 char password

Thanks again

 

[john9527]

How did you set a 50 char password? I looked at the code and the gui should limit the length to 16 chars and not allow 'pasteing'. I'm on an older level of code, but confirmed that's how it worked there.

 

[terilekst]

Hi John

I normally use Lastpass for generating all my passwords and that's what I also did this time. In the UI that I have I never saw any password restriction mentioned there and it also just allowed me to submit a 50 character password.

After breaking my friends router yesterday by asking him to do the same he factory reset his, reinstalled the latest version of asuswrt-merlin and he then set a 25 character password on his router and that worked fine so I assume that your 16 character limit has been removed in a newer version?

Besides that I really get shivers when I have to use systems that limit the length of a password but that's beside the point here

 

[john9527]

Hi John

I normally use Lastpass for generating all my passwords and that's what I also did this time. In the UI that I have I never saw any password restriction mentioned there and it also just allowed me to submit a 50 character password.

After breaking my friends router yesterday by asking him to do the same he factory reset his, reinstalled the latest version of asuswrt-merlin and he then set a 25 character password on his router and that worked fine so I assume that your 16 character limit has been removed in a newer version?

Besides that I really get shivers when I have to use systems that limit the length of a password but that's beside the point here

I was looking at the latest level code....also, if you click on 'New Password' you'll get a popup stating the 16 char limit.

Also, you should disable Lastpass for the router address....it has caused numerous problems in the past (if you do a forum search you'll find them). In this case, it seems to be circumventing the field restrictions. Try typing in a password manually and you'll see the 16 char limit enforced.

 

[terilekst]

Hi John

I'll factory reset it tonight and run some tests to determine if I can pinpoint the problem. I cannot imagine Lastpass bypassing field validation but I'll do some testing and get back to you!

Thanks again

 

[sfx2000]

Someone should probably file a bug with ASUS on this - could be a buffer overflow issue, and this can lead to security concerns.

 

[terilekst]

Someone should probably file a bug with ASUS on this - could be a buffer overflow issue, and this can lead to security concerns.

This is the first comment that actually makes sense. Thank you for that.

With regard to the problem: I really don't think we're looking at the same place to edit the password. I go to the 'Administration' section in my router and then I can change the password under the 'System' tab. It states nowhere that the limit is set to 16 but when manually typing a password it does limit it to 16 so yes, there is a limit of 16 characters.

What really worries me is that this limit is apparently not enforced after submitting the form and even worse, it even seems to completely break the web application which, no matter what way you put it, is a severe concern.

Issues like these and especially the way people reacted to the issue on this forum (except sfx2000) really concern me and also make me lose faith in this software. I will contact ASUS to see what can be done.