#1  
Old 4th March 2008, 21:03
NIXin NIXin is offline
Junior Member
 
Join Date: Dec 2006
Posts: 9
Thanks: 2
Thanked 0 Times in 0 Posts
Default Password bug

I was recently changing the password for the root - for the system, for the mysql and... also for the admin user in ISPConfig. I generated a random password for all three and set them up. While SSH and MySQL worked nicely there was a problem with ISPConfig - I changed the password and lost the ability to log in back. So I run mysql from SSH selected the ispconfig database, got to sys_user and copied the encrypted password from one of my sites to the admin entry. I was able to log in with my accounts password. So I tried changing the password again (to the same one I generated early) - I got the same result - there was no way to login. So I did the same again and finally it came to me. My password had this:
Code:
'
sign inside. ISPConfigs' script didn't interpret that char correctly hence causing a bad password encrypted and written out to the SQL.
Reply With Quote
Sponsored Links
  #2  
Old 5th March 2008, 16:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

I've added this to our bugtracker.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
AbannyvabVask (17th December 2013)
  #3  
Old 6th March 2008, 13:26
jbravo jbravo is offline
Member
 
Join Date: Nov 2007
Location: Poland
Posts: 81
Thanks: 12
Thanked 3 Times in 2 Posts
Default

Recently i realized that i have something strange with how ISPConfig handle passwords.
In my configuration i;'ve changed default setup to use md5 - longer passwords:
Code:
$go_info["server"]["password_hash"] = 'md5'; // 'crypt' = crypt; 'md5' = crypt-md5
Unfortunately sometimes it produce incorrect hashes - user can not login. Re-entering same password in ispconfig interface gives ma different hash. Sometime i have to reenter it two or three times to login (different hash value every time - i've double checked this).

This seems not to happen if i setup user accounts from ispconfig admin account (ispconfig clients logins gives me this behaviour) - but i do not work like this on a daily basis.

P.S. I use also user@domain mod but hashes in userdb file are always same as in /etc/shadow - so synchronized correctly.

EDIT: it happens despite user i choose (admin or not). I' ve always to check if password is ok - with mailuser or webmail login to be sure. This bug stopps me from giving their own admin panel for my users
__________________
--
GreetZ .:JbRaVo:.
ISPConfig 3.0.5.2 @ mail&web @ RHEL6.4,
ISPConfig 2.2.29@mailsrv & 2.2.38@websrv @ SLES10SP4

Last edited by jbravo; 14th April 2008 at 11:33.
Reply With Quote
  #4  
Old 14th April 2008, 01:49
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Facing the same problem here. Any password with a
Quote:
' or "
is accepted during creation but rejected during login. I've confirmed that the md5 hash stored in database is correct.
Quote:
md5(c0mpl3x'p455w0rd) -> f77f1cea978098d09de63780a42b5756
Stored in database -> f77f1cea978098d09de63780a42b5756
Something is wrong with the password string that gets parsed during login.

Last edited by debian-lover; 14th April 2008 at 01:56.
Reply With Quote
  #5  
Old 15th April 2008, 11:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,194
Thanks: 829
Thanked 5,419 Times in 4,261 Posts
Default

I added this to the bugtracker for further investigation.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 7th May 2008, 15:22
flipkick flipkick is offline
Junior Member
 
Join Date: May 2008
Location: Hamburg, Germany
Posts: 24
Thanks: 0
Thanked 3 Times in 2 Posts
Send a message via ICQ to flipkick Send a message via MSN to flipkick
Default

ISPConfig had a problem with the correct escaping of special characters in login and password. I've fixed the bug in the SVN trunk and 2.2.-stable repository. For each version there's a different bugfix because of different versions of ispconfig_auth.lib.php and login.php.

@jbravo:
Please recheck with the bugfix.

http://bugtracker.ispconfig.org/inde...ils&task_id=22

cheers,
flip

Last edited by flipkick; 7th May 2008 at 15:25.
Reply With Quote
  #7  
Old 8th May 2008, 08:17
jbravo jbravo is offline
Member
 
Join Date: Nov 2007
Location: Poland
Posts: 81
Thanks: 12
Thanked 3 Times in 2 Posts
Default

Quote:
Originally Posted by flipkick
ISPConfig had a problem with the correct escaping of special characters in login and password. I've fixed the bug in the SVN trunk and 2.2.-stable repository.
Does it mean that i can download "ISPConfig 2.x stable branch" from
http://www.ispconfig.org/downloads/I...-stable.tar.gz
and check if it works as expected?

Quote:
Originally Posted by flipkick
For each version there's a different bugfix because of different versions of ispconfig_auth.lib.php and login.php.
Does it also mean that all i have to do on production is to overwrite these two mentioned files from above archive with latest ISPConfig official release (2.2.23)?
__________________
--
GreetZ .:JbRaVo:.
ISPConfig 3.0.5.2 @ mail&web @ RHEL6.4,
ISPConfig 2.2.29@mailsrv & 2.2.38@websrv @ SLES10SP4
Reply With Quote
  #8  
Old 8th May 2008, 12:14
flipkick flipkick is offline
Junior Member
 
Join Date: May 2008
Location: Hamburg, Germany
Posts: 24
Thanks: 0
Thanked 3 Times in 2 Posts
Send a message via ICQ to flipkick Send a message via MSN to flipkick
Default

Hi jbravo,


Quote:
Originally Posted by jbravo
Does it mean that i can download "ISPConfig 2.x stable branch" from
http://www.ispconfig.org/downloads/I...-stable.tar.gz
and check if it works as expected?
exactly.

Quote:
Does it also mean that all i have to do on production is to overwrite these two mentioned files from above archive with latest ISPConfig official release (2.2.23)?
Almost. At the moment the bugfix is only available through ISPConfig-svn-stable.tar.gz or SVN. It will be available in the next official release (2.2.24 i guess). But yes, you may copy only lib/classes/ispconfig_auth.lib.php and web/login/login.php from the current ISPConfig-svn-stable.tar.gz to your production system to fix this bug.

cheers,
flip
Reply With Quote
The Following User Says Thank You to flipkick For This Useful Post:
jbravo (8th May 2008)
  #9  
Old 8th May 2008, 15:08
jbravo jbravo is offline
Member
 
Join Date: Nov 2007
Location: Poland
Posts: 81
Thanks: 12
Thanked 3 Times in 2 Posts
 
Default

Quote:
Originally Posted by flipkick
Almost. At the moment the bugfix is only available through ISPConfig-svn-stable.tar.gz or SVN. It will be available in the next official release (2.2.24 i guess). But yes, you may copy only lib/classes/ispconfig_auth.lib.php and web/login/login.php from the current ISPConfig-svn-stable.tar.gz to your production system to fix this bug.
I've checked this with my vmware ispconfig 2.2.23 machine and it works! All keepass random generated passwords works as expected.
Ispconfig time for rewriting config files when changing password could be confusing - checked in ispconfig.log that system finished rewriting files before trying to login with new password.

Thanks and hope to see it asap in official release.
__________________
--
GreetZ .:JbRaVo:.
ISPConfig 3.0.5.2 @ mail&web @ RHEL6.4,
ISPConfig 2.2.29@mailsrv & 2.2.38@websrv @ SLES10SP4
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu 6.06 LTS during ISPConfig MySQL root password error...stuck?? Randall Hoffman General 5 13th March 2007 15:01
MAJOR DUMB USER - I messedup when setting MySQL root password HELP ThE-LyNX Installation/Configuration 1 7th December 2006 23:26
Where is the user password saved torusturtle Installation/Configuration 2 20th June 2006 14:40
ISPCONFIG 2.2.1 Possible BUG? lyndros Installation/Configuration 8 19th April 2006 22:29
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 18:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.