Bugs in PostfixAdmin with blank passwords?

Discussion in 'HOWTO-Related Questions' started by voipfc, Mar 18, 2007.

  1. voipfc

    voipfc New Member

    Are there some bugs in PostfixAdmin?

    Unless I haven't configured it properly there must be some flaw somewhere.

    The passwords are blank.
     
  2. falko

    falko Super Moderator

    I don't know PostfixAdmin, but maybe it doesn't display anything in the password fields, even if passwords are set? At least that's the way ISPConfig behaves.
     
  3. voipfc

    voipfc New Member

    Examining the code shows some inconsistency

    My initial post was due to a misconfiguration, but it the code shows some inconsistency to me.

    It appears that the way passwords are created differs from how they are tested when the user tries to login to administer their own acccount, and in the case of admins, their domain users accounts.

    Is some cases user checks are made by comparing the entered password against a hash of the existing password.

    This what the code for the login.php on both the admin and the user/mailbox page looks like. The record is checked against a password derived from his plaintext password on the form and the password in the database.

    PHP:
    if ($_SERVER['REQUEST_METHOD'] == "POST")
    {
       
    $fUsername escape_string ($_POST['fUsername']);
       
    $fPassword escape_string ($_POST['fPassword']);

       
    $result db_query ("SELECT password FROM admin WHERE username='$fUsername' AND active='1'");
       if (
    $result['rows'] == 1)
       {
          
    $row db_array ($result['result']);
          
    $password pacrypt ($fPassword$row['password']);

          
    $result db_query ("SELECT * FROM admin WHERE username='$fUsername' AND password='$password' AND active='1'");
          if (
    $result['rows'] != 1)
          {
             
    $error 1;
             
    $tMessage $PALANG['pLogin_password_incorrect'];
             
    $tUsername $fUsername;
          }
       }
       else
       {
          
    $error 1;
          
    $tMessage $PALANG['pLogin_username_incorrect'];
       }

       if (
    $error != 1)
       {
          
    session_start();
          
    session_register("sessid");
          
    $_SESSION['sessid']['username'] = $fUsername;

          
    header("Location: main.php");
          exit;
       }
    In password.php for both admin and user the same also a applied

    PHP:
       if ($result['rows'] == 1)
       {
          
    $row db_array ($result['result']);
          
    $checked_password pacrypt ($fPassword_current$row['password']);

            
    $result db_query ("SELECT * FROM admin WHERE username='$username' AND password='$checked_password'");      
          if (
    $result['rows'] != 1)
          {
             
    $error 1;
             
    $pPassword_password_current_text $PALANG['pPassword_password_current_text_error'];
          }
       }
       else
       {
          
    $error 1;
          
    $pPassword_email_text $PALANG['pPassword_email_text_error']; 
       }

    Yet when the record is created or updated the password stored in the database is generated by pacrypt($fPassword), as it would be meaningless to generate it against a hash of what is already there.

    Unless it is flawed I don't think I quite understand the code
     

Share This Page