In the past when creating a new user, we use the format “a-thomas” for example. Now it seems that the “dash” is an invalid character when creating a new user. Was this change intended or possibly a bug?
Heres the error details
AppServer Connection: https://central****.epicorsaas.com/
Form Name: User Account Maintenance
Customization Name:
Menu ID: SUSC1010
Software Version: 4.3.200.0
============
Business Layer Exception
Invalid characters in user ID.
Exception caught in: Epicor.ServiceModel
Error Detail
============
##!Correlation ID:##! 9c1ea489-4c6a-427b-b046-89c892598af2
##!Description:##! Invalid characters in user ID.
##!Program:##! Ice.Services.BO.UserFile.dll
##!Method:##! UserFileBeforeUpdate
##!Line Number:##! 1669
##!Column Number:##! 21
Client Stack Trace
==================
at Epicor.ServiceModel.Channels.ImplBase.CallWithCommunicationFailureRetry(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, RestRpcValueSerializer serializer)
at Epicor.ServiceModel.Channels.ImplBase.CallWithMultistepBpmHandling(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, Boolean useSparseCopy)
at Epicor.ServiceModel.Channels.ImplBase.Call(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, Boolean useSparseCopy)
at Ice.Proxy.BO.UserFileImpl.Update(UserFileDataSet ds)
at Ice.Adapters.UserFileAdapter.OnUpdate()
at Ice.Lib.Framework.EpiBaseAdapter.Update()
at Ice.UI.App.UserAccountEntry.Transaction.Update()
That’s because of a ticket I’ve had open since April 19, 2023. I supplied UserID as the least exploitable means of demonstrating a discovered exploit. Support missed the point and fixed the test instead of the problem. You can reference case# CS0003609116 if that helps.
I finally got around to logging a case on this as all of our users have a dash in their username and I was unhappy about changing the naming convention.
The reply I received is below
this change was made under ERPS-249947 that released in 2024.2. These new rules were implemented following security and penetration testing to ensure the system functions as intended. The changes are strictly for bolstering security measures.
According to Dev:
UserID is too permissive in the characters it allows. on Creation of a new user the UserID should add checks to fail validation if the id contains:
,
;
–
"
that last is a double quote not a single quote. The first is a comma not an apostrophe. This should apply only to newly created users should not impact existing users that may already have those characters in their IDs.
Therefore, other than character listed above remain permissible in usernames.
Existing usernames with dashes will continue to function normally. However, NEW usernames cannot include dashes and existing usernames cannot be modified to remove the dash.
I am not in IT can someone explain why a dash in the username is a security risk