Possible security problem
my name is Bernhard Grün and I use ISPConfig since some time ago (without any problems). During a security audit (with Version 2.2.0) I saw a problem in my /etc/shadow file:
The password for the account above is tester at the moment. As you can see the first two chars of the crypted password string are "te". So the effective password length goes down by 2! This makes word list attacks easy. This should be changed soon I think.
This is the corresponding code from the mailuser backend:
I would really love to see this fixed because it makes ISPConfig much more secure.
There is also a setting in config.inc.php:
For others reading this post, please have a look at these threads:
The problem will be patched in release 2.2.1
As a workaround, set this in config.inc.php
Thanks for fixing it!
|All times are GMT +2. The time now is 14:52.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.