Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th March 2007, 20:04
voipfc voipfc is offline
Junior Member
 
Join Date: Nov 2006
Posts: 24
Thanks: 1
Thanked 1 Time in 1 Post
Default Bugs in PostfixAdmin with blank passwords?

Are there some bugs in PostfixAdmin?

Unless I haven't configured it properly there must be some flaw somewhere.

The passwords are blank.
__________________
The mental attitude whose nature is resolution
Is but one in this world, son of Kuru;
For many-branched and endless
Are the mental attitudes of the irresolute.

Ch 2.41
Reply With Quote
Sponsored Links
  #2  
Old 19th March 2007, 13:41
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

I don't know PostfixAdmin, but maybe it doesn't display anything in the password fields, even if passwords are set? At least that's the way ISPConfig behaves.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 19th March 2007, 20:22
voipfc voipfc is offline
Junior Member
 
Join Date: Nov 2006
Posts: 24
Thanks: 1
Thanked 1 Time in 1 Post
 
Default Examining the code shows some inconsistency

My initial post was due to a misconfiguration, but it the code shows some inconsistency to me.

It appears that the way passwords are created differs from how they are tested when the user tries to login to administer their own acccount, and in the case of admins, their domain users accounts.

Is some cases user checks are made by comparing the entered password against a hash of the existing password.

This what the code for the login.php on both the admin and the user/mailbox page looks like. The record is checked against a password derived from his plaintext password on the form and the password in the database.

PHP Code:
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
   
$fUsername escape_string ($_POST['fUsername']);
   
$fPassword escape_string ($_POST['fPassword']);

   
$result db_query ("SELECT password FROM admin WHERE username='$fUsername' AND active='1'");
   if (
$result['rows'] == 1)
   {
      
$row db_array ($result['result']);
      
$password pacrypt ($fPassword$row['password']);

      
$result db_query ("SELECT * FROM admin WHERE username='$fUsername' AND password='$password' AND active='1'");
      if (
$result['rows'] != 1)
      {
         
$error 1;
         
$tMessage $PALANG['pLogin_password_incorrect'];
         
$tUsername $fUsername;
      }
   }
   else
   {
      
$error 1;
      
$tMessage $PALANG['pLogin_username_incorrect'];
   }

   if (
$error != 1)
   {
      
session_start();
      
session_register("sessid");
      
$_SESSION['sessid']['username'] = $fUsername;

      
header("Location: main.php");
      exit;
   } 
In password.php for both admin and user the same also a applied

PHP Code:
   if ($result['rows'] == 1)
   {
      
$row db_array ($result['result']);
      
$checked_password pacrypt ($fPassword_current$row['password']);

        
$result db_query ("SELECT * FROM admin WHERE username='$username' AND password='$checked_password'");      
      if (
$result['rows'] != 1)
      {
         
$error 1;
         
$pPassword_password_current_text $PALANG['pPassword_password_current_text_error'];
      }
   }
   else
   {
      
$error 1;
      
$pPassword_email_text $PALANG['pPassword_email_text_error']; 
   } 

Yet when the record is created or updated the password stored in the database is generated by pacrypt($fPassword), as it would be meaningless to generate it against a hash of what is already there.

Unless it is flawed I don't think I quite understand the code
__________________
The mental attitude whose nature is resolution
Is but one in this world, son of Kuru;
For many-branched and endless
Are the mental attitudes of the irresolute.

Ch 2.41
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Clear Passwords Agosto Feature Requests 6 22nd March 2007 00:36
md5 passwords enabled with webalizer and awstats add-on Rustin Installation/Configuration 1 6th January 2007 15:33
Condition of MD5 passwords as of 2.2.2 Rustin Installation/Configuration 1 10th May 2006 19:28
Frequent blank page when first opening site? minezamac Installation/Configuration 3 1st May 2006 19:55
How to activate MD5 passwords? popeye Installation/Configuration 12 10th March 2006 08:21


All times are GMT +2. The time now is 09:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.