#1  
Old 17th April 2006, 04:08
lyndros lyndros is offline
Senior Member
 
Join Date: Mar 2006
Location: Granada
Posts: 130
Thanks: 5
Thanked 3 Times in 2 Posts
Default ISPCONFIG 2.2.1 Possible BUG?

Hi guys,

i think that i discovered a little bug on ispconfig 2.2.1 (i updated from 2.2.0),
when u set a password for an email account under the ispconfig panel from a site then the setted password is wrong if it's more 8 chars long,

for example:

i have web1_user1 i want to set this password for it's email example1 (this is an 8 char pass) so there is no problem , the password is setted and u can loggin only with this password, but when u try to set a longer password, like example1234 then ispconfig sets the password for this account, as
example1* -> in this way u can loggin with all this passwords
example12
example123
example1anything ... etc

can anybody confirm that (only for email user passwords i think)

keep up the good work

see u thk u all
Reply With Quote
Sponsored Links
  #2  
Old 17th April 2006, 06:15
hastlaug hastlaug is offline
Member
 
Join Date: Apr 2006
Posts: 30
Thanks: 0
Thanked 1 Time in 1 Post
Default

Confirmed.
Same problem here.
Reply With Quote
  #3  
Old 17th April 2006, 14:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,383
Thanks: 833
Thanked 5,485 Times in 4,317 Posts
Default

Ok, we will check this. And when you use the passwd command on the shell, this behaviour does not exist?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 17th April 2006, 14:20
lyndros lyndros is offline
Senior Member
 
Join Date: Mar 2006
Location: Granada
Posts: 130
Thanks: 5
Thanked 3 Times in 2 Posts
Default

Quote:
Originally Posted by till
Ok, we will check this. And when you use the passwd command on the shell, this behaviour does not exist?
no with the shell there is no problem, i've tried to fix it, but i dont know in which file is the code about registrating password if anybody knows i could take a look to the code with the permission of the masters :-P

thk u all
Reply With Quote
  #5  
Old 17th April 2006, 14:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,383
Thanks: 833
Thanked 5,485 Times in 4,317 Posts
Default

Quote:
i could take a look to the code with the permission of the masters :-P
Sure The code is in /home/admispconfig/ispconfig/lib/classes/isp_isp_user.lib.php

The code is there twice, once in the user_insert and once in the user_update function.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 17th April 2006, 16:58
lyndros lyndros is offline
Senior Member
 
Join Date: Mar 2006
Location: Granada
Posts: 130
Thanks: 5
Thanked 3 Times in 2 Posts
Default

Quote:
Originally Posted by till
Sure The code is in /home/admispconfig/ispconfig/lib/classes/isp_isp_user.lib.php

The code is there twice, once in the user_insert and once in the user_update function.
ok that is the problem the standard php crypt function crypt(), returns the seed as the 2 first chars of the output generated string, in this way it only uses the first 8 chars of the string parameter, so if we use the 2 strings with the same first 8 chars then it returns the same output.

looking at the code:
/home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
(LINE APROX 300)

if($go_info["server"]["password_hash"] == 'crypt') {
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
} else {
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
}

ok taking just a look here i can see that default form of being crypt is DES with 2 chars generated seed, and never is reached long passwords in this way, so the solution i think that is ....

so if u want to try change the above code that appears in both functions insert & update with this...

if($go_info["server"]["password_hash"] == 'crypt') { // by lyndros
// i have to encrypt password in which way?
// now we have to look for the password length

if (strlen($user["user_passwort"])<=8){
// CODE FOR GENERATING 2 CHAR SEED
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
//echo "hi im type short STANDARD DES DEFAULT ENCRYPTION";
} else {
// CODE FOR GENERATING 8 CHARS SEED
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
//echo "hi im type long STANDARD MD5 ENCRYPTION";
}
}

i think that this is the solution, its working for me for short & long passwords, hope that helps

thk u all for supporting all my questions
Reply With Quote
  #7  
Old 17th April 2006, 17:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,383
Thanks: 833
Thanked 5,485 Times in 4,317 Posts
Default

Thanks for your patch. If i understand your patch right, it will be sufficient as short workaround to set the variable

$go_info["server"]["password_hash"] = 'crypt';

to:

$go_info["server"]["password_hash"] = 'md5';

in the ISPConfig configuration file /home/admispconfig/ispconfig/lib/config.inc.php? Or did you encounter problems with the second hash if the password is shorter then 8 chars?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 18th April 2006, 02:06
lyndros lyndros is offline
Senior Member
 
Join Date: Mar 2006
Location: Granada
Posts: 130
Thanks: 5
Thanked 3 Times in 2 Posts
Default

Quote:
Originally Posted by till
Thanks for your patch. If i understand your patch right, it will be sufficient as short workaround to set the variable

$go_info["server"]["password_hash"] = 'crypt';

to:

$go_info["server"]["password_hash"] = 'md5';

in the ISPConfig configuration file /home/admispconfig/ispconfig/lib/config.inc.php? Or did you encounter problems with the second hash if the password is shorter then 8 chars?
Ok till, i maintained the DES encryption because i didn't know if was here for a compatibility reason, tomorrow i'll do some test with your guides and i'll post the results :-P, only with MD5 encryption

see u
Reply With Quote
  #9  
Old 19th April 2006, 22:29
lyndros lyndros is offline
Senior Member
 
Join Date: Mar 2006
Location: Granada
Posts: 130
Thanks: 5
Thanked 3 Times in 2 Posts
 
Default

Quote:
Originally Posted by lyndros
Ok till, i maintained the DES encryption because i didn't know if was here for a compatibility reason, tomorrow i'll do some test with your guides and i'll post the results :-P, only with MD5 encryption

see u
i`ve been a little busy so here is the solution, the easier solution is to make md5 crypt by default, to do this the easier way is to replace the code

if($go_info["server"]["password_hash"] == 'crypt') {
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
} else {
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
}

with that:

if($go_info["server"]["password_hash"] == 'crypt') { // by lyndros
// i have to encrypt password
// CODE FOR GENERATING 8 CHARS SEED
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
$passwort = "||||:".crypt($user["user_passwort"], $salt);
}else{
//unencrypted passwords
$passwort = "||||:".$user["user_passwort"];
}

ok by this way by default the password is encrypt with md5 encryption, and theres no problem without long & short passwords as long as i tested.

as u guess till, if we change the line to $go_info["server"]["password_hash"] = 'md5'; will work, because all passwords will be encrypted with md5, but in my personal opinion is better to clean of unnecesary code .

the 2 char seed, for shorts password wass putted for compatibility reasons, but most linux distrubutions support md5 (i think almost all) so if there's not another reason for that it's safe to do this little patch.

thk u to all see u soon

Last edited by lyndros; 19th April 2006 at 23:03.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot access ispconfig site Nu2Linux Installation/Configuration 13 3rd January 2009 15:29
ISPConfig 2.2.1 released till General 11 28th May 2006 10:39
FC4 Setup DNS and ISPCONFIG issues The General Installation/Configuration 7 15th May 2006 09:45
Users and websites aren't created Glorfindel Installation/Configuration 9 23rd February 2006 04:20
42goISP vs. ISPConfig nveid General 1 16th January 2006 09:07


All times are GMT +2. The time now is 08:01.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.