HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   Possible security problem (http://www.howtoforge.com/forums/showthread.php?t=3000)

bjmg 9th March 2006 11:16

Possible security problem
 
Hello,

my name is Bernhard Grün and I use ISPConfig since some time ago (without any problems). During a security audit (with Version 2.2.0) I saw a problem in my /etc/shadow file:
Code:

web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::
As you can see my username is web4_bjmg and the password is only crypted - without md5 (this alone is a problem by itself!). But the problem I see is MUCH bigger.
The password for the account above is tester at the moment. As you can see the first two chars of the crypted password string are "te". So the effective password length goes down by 2! This makes word list attacks easy. This should be changed soon I think.
This is the corresponding code from the mailuser backend:
Code:

$rec["user_passwort"] = "||||:".crypt(trim($_POST["user_passwort"]),substr(trim($_POST["user_passwort"]),0,2));
As you can see it just uses the first two chars of the password string as salt. This is NOT good. Normally the salt should be something like crc16 of the username. I mean a function that outputs two bytes from a input string of variable length. This makes it harder to compare passwords against other passwords.
Example:
Code:

web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::
web1_info:teCi1U7ES.EJw:13216:0:99999:7:::

As you can see both hashed passwords are the same. True - they are the same. This means that if one account is hacked all accounts with the same password are hacked too (even if the persons are NOT connected to eachother).

I would really love to see this fixed because it makes ISPConfig much more secure.
There is also a setting in config.inc.php:
Code:

$go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5
Changeing that to md5 does nothing. At least I didn't found a code line that uses this password_hash variable.


Best wishes

Bernhard

till 15th March 2006 12:21

For others reading this post, please have a look at these threads:

http://www.howtoforge.com/forums/showthread.php?t=3009
http://www.howtoforge.com/forums/showthread.php?t=3025

The problem will be patched in release 2.2.1

As a workaround, set this in config.inc.php

Quote:

$go_info["server"]["password_hash"] = 'md5';
UPDATE: The patch is already in the ISPConfig SVN repository. The SVN versions are availble for download here:

http://www.ispconfig.org/downloads.htm

bjmg 15th March 2006 18:33

Thanks for fixing it!

Bernhard


All times are GMT +2. The time now is 14:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.