ISPCONFIG 2.2.1 Possible BUG?

[lyndros]

Hi guys,

i think that i discovered a little bug on ispconfig 2.2.1 (i updated from 2.2.0),
when u set a password for an email account under the ispconfig panel from a site then the setted password is wrong if it's more 8 chars long,

for example:

i have web1_user1 i want to set this password for it's email example1 (this is an 8 char pass) so there is no problem , the password is setted and u can loggin only with this password, but when u try to set a longer password, like example1234 then ispconfig sets the password for this account, as
example1* -> in this way u can loggin with all this passwords
example12
example123
example1anything ... etc

can anybody confirm that (only for email user passwords i think)

keep up the good work

see u thk u all

[hastlaug]

Confirmed.
Same problem here.

[till]

Ok, we will check this. And when you use the passwd command on the shell, this behaviour does not exist?

[lyndros]

Quote:

Originally Posted by till

Ok, we will check this. And when you use the passwd command on the shell, this behaviour does not exist?

no with the shell there is no problem, i've tried to fix it, but i dont know in which file is the code about registrating password if anybody knows i could take a look to the code with the permission of the masters :-P

thk u all

[till]

Quote:

i could take a look to the code with the permission of the masters :-P

Sure The code is in /home/admispconfig/ispconfig/lib/classes/isp_isp_user.lib.php

The code is there twice, once in the user_insert and once in the user_update function.

[lyndros]

Quote:

Originally Posted by till

Sure The code is in /home/admispconfig/ispconfig/lib/classes/isp_isp_user.lib.php

The code is there twice, once in the user_insert and once in the user_update function.

ok that is the problem the standard php crypt function crypt(), returns the seed as the 2 first chars of the output generated string, in this way it only uses the first 8 chars of the string parameter, so if we use the 2 strings with the same first 8 chars then it returns the same output.

looking at the code:
/home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
(LINE APROX 300)

if($go_info["server"]["password_hash"] == 'crypt') {
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
} else {
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
}

ok taking just a look here i can see that default form of being crypt is DES with 2 chars generated seed, and never is reached long passwords in this way, so the solution i think that is ....

so if u want to try change the above code that appears in both functions insert & update with this...

if($go_info["server"]["password_hash"] == 'crypt') { // by lyndros
// i have to encrypt password in which way?
// now we have to look for the password length

if (strlen($user["user_passwort"])<=8){
// CODE FOR GENERATING 2 CHAR SEED
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
//echo "hi im type short STANDARD DES DEFAULT ENCRYPTION";
} else {
// CODE FOR GENERATING 8 CHARS SEED
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
//echo "hi im type long STANDARD MD5 ENCRYPTION";
}
}

i think that this is the solution, its working for me for short & long passwords, hope that helps

thk u all for supporting all my questions

[till]

Thanks for your patch. If i understand your patch right, it will be sufficient as short workaround to set the variable

$go_info["server"]["password_hash"] = 'crypt';

to:

$go_info["server"]["password_hash"] = 'md5';

in the ISPConfig configuration file /home/admispconfig/ispconfig/lib/config.inc.php? Or did you encounter problems with the second hash if the password is shorter then 8 chars?

[lyndros]

Quote:

Originally Posted by till

Thanks for your patch. If i understand your patch right, it will be sufficient as short workaround to set the variable

$go_info["server"]["password_hash"] = 'crypt';

to:

$go_info["server"]["password_hash"] = 'md5';

in the ISPConfig configuration file /home/admispconfig/ispconfig/lib/config.inc.php? Or did you encounter problems with the second hash if the password is shorter then 8 chars?

Ok till, i maintained the DES encryption because i didn't know if was here for a compatibility reason, tomorrow i'll do some test with your guides and i'll post the results :-P, only with MD5 encryption

see u

[lyndros]

Quote:

Originally Posted by lyndros

Ok till, i maintained the DES encryption because i didn't know if was here for a compatibility reason, tomorrow i'll do some test with your guides and i'll post the results :-P, only with MD5 encryption

see u

i`ve been a little busy so here is the solution, the easier solution is to make md5 crypt by default, to do this the easier way is to replace the code

if($go_info["server"]["password_hash"] == 'crypt') {
$salt="";
for ($n=0;$n<2;$n++) {
$salt.=chr(mt_rand(64,126));
}
} else {
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
}

with that:

if($go_info["server"]["password_hash"] == 'crypt') { // by lyndros
// i have to encrypt password
// CODE FOR GENERATING 8 CHARS SEED
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
$passwort = "||||:".crypt($user["user_passwort"], $salt);
}else{
//unencrypted passwords
$passwort = "||||:".$user["user_passwort"];
}

ok by this way by default the password is encrypt with md5 encryption, and theres no problem without long & short passwords as long as i tested.

as u guess till, if we change the line to $go_info["server"]["password_hash"] = 'md5'; will work, because all passwords will be encrypted with md5, but in my personal opinion is better to clean of unnecesary code .

the 2 char seed, for shorts password wass putted for compatibility reasons, but most linux distrubutions support md5 (i think almost all) so if there's not another reason for that it's safe to do this little patch.

thk u to all see u soon