Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 9th March 2006, 12:16
bjmg bjmg is offline
Junior Member
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Exclamation Possible security problem


my name is Bernhard Grün and I use ISPConfig since some time ago (without any problems). During a security audit (with Version 2.2.0) I saw a problem in my /etc/shadow file:
As you can see my username is web4_bjmg and the password is only crypted - without md5 (this alone is a problem by itself!). But the problem I see is MUCH bigger.
The password for the account above is tester at the moment. As you can see the first two chars of the crypted password string are "te". So the effective password length goes down by 2! This makes word list attacks easy. This should be changed soon I think.
This is the corresponding code from the mailuser backend:
$rec["user_passwort"] = "||||:".crypt(trim($_POST["user_passwort"]),substr(trim($_POST["user_passwort"]),0,2));
As you can see it just uses the first two chars of the password string as salt. This is NOT good. Normally the salt should be something like crc16 of the username. I mean a function that outputs two bytes from a input string of variable length. This makes it harder to compare passwords against other passwords.
As you can see both hashed passwords are the same. True - they are the same. This means that if one account is hacked all accounts with the same password are hacked too (even if the persons are NOT connected to eachother).

I would really love to see this fixed because it makes ISPConfig much more secure.
There is also a setting in config.inc.php:
$go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5
Changeing that to md5 does nothing. At least I didn't found a code line that uses this password_hash variable.

Best wishes

Reply With Quote
Sponsored Links


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 15:15
Problem with https and IE on Mac os and safari DarkBen Installation/Configuration 11 29th September 2006 18:45
applying security on server to restrict unauthorized attempts pali_253 Server Operation 3 16th February 2006 13:57
SMTP TLS Problem with Mail Client dschmid Installation/Configuration 1 9th December 2005 02:56
Problem installing ISPConfig, then with MySQL... ctroyp Installation/Configuration 7 26th September 2005 17:37

All times are GMT +2. The time now is 22:13.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.