Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th March 2006, 11:16
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Exclamation Possible security problem

Hello,

my name is Bernhard Grün and I use ISPConfig since some time ago (without any problems). During a security audit (with Version 2.2.0) I saw a problem in my /etc/shadow file:
Code:
web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::
As you can see my username is web4_bjmg and the password is only crypted - without md5 (this alone is a problem by itself!). But the problem I see is MUCH bigger.
The password for the account above is tester at the moment. As you can see the first two chars of the crypted password string are "te". So the effective password length goes down by 2! This makes word list attacks easy. This should be changed soon I think.
This is the corresponding code from the mailuser backend:
Code:
$rec["user_passwort"] = "||||:".crypt(trim($_POST["user_passwort"]),substr(trim($_POST["user_passwort"]),0,2));
As you can see it just uses the first two chars of the password string as salt. This is NOT good. Normally the salt should be something like crc16 of the username. I mean a function that outputs two bytes from a input string of variable length. This makes it harder to compare passwords against other passwords.
Example:
Code:
web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::
web1_info:teCi1U7ES.EJw:13216:0:99999:7:::
As you can see both hashed passwords are the same. True - they are the same. This means that if one account is hacked all accounts with the same password are hacked too (even if the persons are NOT connected to eachother).

I would really love to see this fixed because it makes ISPConfig much more secure.
There is also a setting in config.inc.php:
Code:
$go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5
Changeing that to md5 does nothing. At least I didn't found a code line that uses this password_hash variable.


Best wishes

Bernhard
Reply With Quote
Sponsored Links
  #2  
Old 15th March 2006, 12:21
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,977
Thanks: 825
Thanked 5,369 Times in 4,216 Posts
Default

For others reading this post, please have a look at these threads:

http://www.howtoforge.com/forums/showthread.php?t=3009
http://www.howtoforge.com/forums/showthread.php?t=3025

The problem will be patched in release 2.2.1

As a workaround, set this in config.inc.php

Quote:
$go_info["server"]["password_hash"] = 'md5';
UPDATE: The patch is already in the ISPConfig SVN repository. The SVN versions are availble for download here:

http://www.ispconfig.org/downloads.htm
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 15th March 2006 at 19:16.
Reply With Quote
  #3  
Old 15th March 2006, 18:33
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
 
Default

Thanks for fixing it!

Bernhard
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 14:15
Problem with https and IE on Mac os and safari DarkBen Installation/Configuration 11 29th September 2006 17:45
applying security on server to restrict unauthorized attempts pali_253 Server Operation 3 16th February 2006 12:57
SMTP TLS Problem with Mail Client dschmid Installation/Configuration 1 9th December 2005 01:56
Problem installing ISPConfig, then with MySQL... ctroyp Installation/Configuration 7 26th September 2005 16:37


All times are GMT +2. The time now is 04:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.