Password bug

[NIXin]

I was recently changing the password for the root - for the system, for the mysql and... also for the admin user in ISPConfig. I generated a random password for all three and set them up. While SSH and MySQL worked nicely there was a problem with ISPConfig - I changed the password and lost the ability to log in back. So I run mysql from SSH selected the ispconfig database, got to sys_user and copied the encrypted password from one of my sites to the admin entry. I was able to log in with my accounts password. So I tried changing the password again (to the same one I generated early) - I got the same result - there was no way to login. So I did the same again and finally it came to me. My password had this:

Code:

'

sign inside. ISPConfigs' script didn't interpret that char correctly hence causing a bad password encrypted and written out to the SQL.

[falko]

I've added this to our bugtracker.

[jbravo]

Recently i realized that i have something strange with how ISPConfig handle passwords.
In my configuration i;'ve changed default setup to use md5 - longer passwords:

Code:

$go_info["server"]["password_hash"] = 'md5'; // 'crypt' = crypt; 'md5' = crypt-md5

Unfortunately sometimes it produce incorrect hashes - user can not login. Re-entering same password in ispconfig interface gives ma different hash. Sometime i have to reenter it two or three times to login (different hash value every time - i've double checked this).

This seems not to happen if i setup user accounts from ispconfig admin account (ispconfig clients logins gives me this behaviour) - but i do not work like this on a daily basis.

P.S. I use also user@domain mod but hashes in userdb file are always same as in /etc/shadow - so synchronized correctly.

EDIT: it happens despite user i choose (admin or not). I' ve always to check if password is ok - with mailuser or webmail login to be sure. This bug stopps me from giving their own admin panel for my users

[debian-lover]

Facing the same problem here. Any password with a

Quote:

' or "

is accepted during creation but rejected during login. I've confirmed that the md5 hash stored in database is correct.

Quote:

md5(c0mpl3x'p455w0rd) -> f77f1cea978098d09de63780a42b5756
Stored in database -> f77f1cea978098d09de63780a42b5756

Something is wrong with the password string that gets parsed during login.

[till]

I added this to the bugtracker for further investigation.

[flipkick]

ISPConfig had a problem with the correct escaping of special characters in login and password. I've fixed the bug in the SVN trunk and 2.2.-stable repository. For each version there's a different bugfix because of different versions of ispconfig_auth.lib.php and login.php.

@jbravo:
Please recheck with the bugfix.

http://bugtracker.ispconfig.org/inde...ils&task_id=22

cheers,
flip

[jbravo]

Quote:

Originally Posted by flipkick

ISPConfig had a problem with the correct escaping of special characters in login and password. I've fixed the bug in the SVN trunk and 2.2.-stable repository.

Does it mean that i can download "ISPConfig 2.x stable branch" from
http://www.ispconfig.org/downloads/I...-stable.tar.gz
and check if it works as expected?

Quote:

Originally Posted by flipkick

For each version there's a different bugfix because of different versions of ispconfig_auth.lib.php and login.php.

Does it also mean that all i have to do on production is to overwrite these two mentioned files from above archive with latest ISPConfig official release (2.2.23)?

[flipkick]

Hi jbravo,

Quote:

Originally Posted by jbravo

Does it mean that i can download "ISPConfig 2.x stable branch" from
http://www.ispconfig.org/downloads/I...-stable.tar.gz
and check if it works as expected?

exactly.

Quote:

Does it also mean that all i have to do on production is to overwrite these two mentioned files from above archive with latest ISPConfig official release (2.2.23)?

Almost. At the moment the bugfix is only available through ISPConfig-svn-stable.tar.gz or SVN. It will be available in the next official release (2.2.24 i guess). But yes, you may copy only lib/classes/ispconfig_auth.lib.php and web/login/login.php from the current ISPConfig-svn-stable.tar.gz to your production system to fix this bug.

cheers,
flip

[jbravo]

Quote:

Originally Posted by flipkick

Almost. At the moment the bugfix is only available through ISPConfig-svn-stable.tar.gz or SVN. It will be available in the next official release (2.2.24 i guess). But yes, you may copy only lib/classes/ispconfig_auth.lib.php and web/login/login.php from the current ISPConfig-svn-stable.tar.gz to your production system to fix this bug.

I've checked this with my vmware ispconfig 2.2.23 machine and it works! All keepass random generated passwords works as expected.
Ispconfig time for rewriting config files when changing password could be confusing - checked in ispconfig.log that system finished rewriting files before trying to login with new password.

Thanks and hope to see it asap in official release.