diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 506659f6e76b5064c406098b7541ce8f654986d2..9e3f07d102f3dc4062115eb1c970016e4cf27e8f 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -1227,8 +1227,8 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
- $sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
- $this->db->query($sql, $conf['interface_password']);
+ $sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+ $this->db->query($sql, $this->crypt_password($conf['interface_password']));
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php
index acd4dbcf618cbdd79388b8bc26cd3b828f9b9f0d..a7d62cda0b5e768de52d2e218fe89fc61d14c23c 100644
--- a/install/dist/lib/gentoo.lib.php
+++ b/install/dist/lib/gentoo.lib.php
@@ -1115,8 +1115,8 @@ class installer extends installer_base
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
- $sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
- $this->db->query($sql, $conf['interface_password']);
+ $sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+ $this->db->query($sql, $this->crypt_password($conf['interface_password']));
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index cb145ea7df3c98a18b67bd0f76a600c78c2bdf92..8a4152d9b5c251b63e25ed1440aea1bca511fc12 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -1215,8 +1215,8 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
- $sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
- $this->db->query($sql, $conf['interface_password']);
+ $sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+ $this->db->query($sql, $this->crypt_password($conf['interface_password']));
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 7bb75d8c375dbe8f92edb9bb51abc498654e696a..338a3dfc7ed6198dd5abce2b82ce57e51bfe0082 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -157,6 +157,34 @@ class installer_base {
else return true;
}
+ public function crypt_password($cleartext_password, $charset = 'UTF-8') {
+ if($charset != 'UTF-8') {
+ $cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
+ }
+
+ if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
+ $salt = '$6$rounds=5000$';
+ $salt_length = 16;
+ } elseif(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) {
+ $salt = '$5$rounds=5000$';
+ $salt_length = 16;
+ } else {
+ $salt = '$1$';
+ $salt_length = 12;
+ }
+
+ if(function_exists('openssl_random_pseudo_bytes')) {
+ $salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
+ } else {
+ $base64_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
+ for($n = 0; $n < $salt_length; $n++) {
+ $salt .= $base64_alphabet[mt_rand(0, 63)];
+ }
+ }
+ $salt .= "$";
+ return crypt($cleartext_password, $salt);
+ }
+
//** Detect installed applications
public function find_installed_apps() {
global $conf;
@@ -3415,8 +3443,8 @@ class installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
- $sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
- $this->db->query($sql, $conf['interface_password']);
+ $sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+ $this->db->query($sql, $this->crypt_password($conf['interface_password']));
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
index 8fb5cdfb7484083acc2b5980ad387830fd6e3637..0f10d59ac6297856b7530ffbb9058a808b8dbd16 100644
--- a/install/sql/ispconfig3.sql
+++ b/install/sql/ispconfig3.sql
@@ -2580,7 +2580,7 @@ INSERT INTO `sys_theme` (`var_id`, `tpl_name`, `username`, `logo_url`) VALUES (N
-- Dumping data for table `sys_user`
--
-INSERT INTO `sys_user` (`userid`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `username`, `passwort`, `modules`, `startmodule`, `app_theme`, `typ`, `active`, `language`, `groups`, `default_group`, `client_id`) VALUES (1, 1, 0, 'riud', 'riud', '', 'admin', '21232f297a57a5a743894a0e4a801fc3', 'dashboard,admin,client,mail,monitor,sites,dns,vm,tools,help', 'dashboard', 'default', 'admin', 1, 'en', '1,2', 1, 0);
+INSERT INTO `sys_user` (`userid`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `username`, `passwort`, `modules`, `startmodule`, `app_theme`, `typ`, `active`, `language`, `groups`, `default_group`, `client_id`) VALUES (1, 1, 0, 'riud', 'riud', '', 'admin', 'xxx', 'dashboard,admin,client,mail,monitor,sites,dns,vm,tools,help', 'dashboard', 'default', 'admin', 1, 'en', '1,2', 1, 0);
-- --------------------------------------------------------
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index b5d5abc27bcad7a3f42b328709ade27e6ec1c7c3..d820e917c98e29ad290a95ec1408e9bb125665da 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -83,23 +83,23 @@ if(count($_POST) > 0) {
* The actual user is NOT a admin or reseller, but maybe he
* has logged in as "normal" user before...
*/
-
+
if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin' || $app->auth->has_clients($_SESSION['s_old']['user']['userid']))){
/* The "old" user is admin or reseller, so everything is ok
* if he is reseller, we need to check if he logs in to one of his clients
*/
if($_SESSION['s_old']['user']['typ'] != 'admin') {
-
+
/* this is the one currently logged in (normal user) */
$old_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $old_client_group_id);
-
+
/* this is the reseller, that shall be re-logged in */
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
$tmp = $app->db->queryOneRecord($sql, $username, $password);
$client_group_id = $app->functions->intval($tmp['default_group']);
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-
+
if(!$tmp_client || $old_client["parent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESSION["s_old"]["user"]["default_group"] ) {
die("You don't have the right to 'login as' this user!");
}
@@ -115,12 +115,12 @@ if(count($_POST) > 0) {
/* a reseller wants to 'login as', we need to check if he is allowed to */
$res_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $res_client_group_id);
-
+
/* this is the user the reseller wants to 'login as' */
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
$tmp = $app->db->queryOneRecord($sql, $username, $password);
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $tmp["default_group"]);
-
+
if(!$tmp || $tmp_client["parent_client_id"] != $res_client["client_id"]) {
die("You don't have the right to login as this user!");
}
@@ -129,16 +129,16 @@ if(count($_POST) > 0) {
unset($tmp_client);
}
$loginAs = true;
-
+
} else {
/* normal login */
$loginAs = false;
}
-
+
//* Check if there are already wrong logins
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
$alreadyfailed = $app->db->queryOneRecord($sql, $ip);
-
+
//* too many failedlogins
if($alreadyfailed['times'] > 5) {
$error = $app->lng('error_user_too_many_logins');
@@ -148,7 +148,7 @@ if(count($_POST) > 0) {
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
$user = $app->db->queryOneRecord($sql, $username, $password);
} else {
-
+
if(stristr($username, '@')) {
//* mailuser login
$sql = "SELECT * FROM mail_user WHERE login = ? or email = ?";
@@ -160,7 +160,7 @@ if(count($_POST) > 0) {
if(crypt(stripslashes($password), $saved_password) == $saved_password) {
//* Get the sys_user language of the client of the mailuser
$sys_user_lang = $app->db->queryOneRecord("SELECT language FROM sys_user WHERE default_group = ?", $mailuser['sys_groupid'] );
-
+
//* we build a fake user here which has access to the mailuser module only and userid 0
$user = array();
$user['userid'] = 0;
@@ -196,6 +196,10 @@ if(count($_POST) > 0) {
//* The password is md5 encrypted
if(md5($password) != $saved_password) {
$user = false;
+ } else {
+ // update password with secure algo
+ $sql = 'UPDATE `sys_user` SET `passwort` = ? WHERE `username` = ?';
+ $app->db->query($sql, $app->auth->crypt_password($password), $username);
}
}
} else {
@@ -203,19 +207,19 @@ if(count($_POST) > 0) {
}
}
}
-
+
if($user) {
if($user['active'] == 1) {
// Maintenance mode - allow logins only when maintenance mode is off or if the user is admin
if(!$app->is_under_maintenance() || $user['typ'] == 'admin'){
-
+
// User login right, so attempts can be deleted
$sql = "DELETE FROM `attempts_login` WHERE `ip`=?";
$app->db->query($sql, $ip);
$user = $app->db->toLower($user);
-
+
if ($loginAs) $oldSession = $_SESSION['s'];
-
+
// Session regenerate causes login problems on some systems, see Issue #3827
// Set session_regenerate_id to no in security settings, it you encounter
// this problem.
@@ -231,7 +235,7 @@ if(count($_POST) > 0) {
$_SESSION['s']['language'] = $app->functions->check_language($user['language']);
$_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme'];
if ($loginAs) $_SESSION['s']['plugin_cache'] = $_SESSION['s_old']['plugin_cache'];
-
+
if(is_file(ISPC_WEB_PATH . '/' . $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) {
include_once $app->functions->check_include_path(ISPC_WEB_PATH . '/' . $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php');
$menu_dir = ISPC_WEB_PATH.'/' . $_SESSION['s']['user']['startmodule'] . '/lib/menu.d';
@@ -257,20 +261,20 @@ if(count($_POST) > 0) {
$_SESSION['show_error_msg'] = $app->lng('theme_not_compatible');
}
}
-
+
$app->plugin->raiseEvent('login', $username);
-
+
//* Save successfull login message to var
- $authlog = 'Successful login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id();
+ $authlog = 'Successful login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id();
$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a');
fwrite($authlog_handle, $authlog ."\n");
fclose($authlog_handle);
-
+
/*
* We need LOGIN_REDIRECT instead of HEADER_REDIRECT to load the
* new theme, if the logged-in user has another
*/
-
+
if ($loginAs){
echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage'];
exit;
@@ -327,7 +331,7 @@ if($security_config['password_reset_allowed'] == 'yes') {
} else {
$app->tpl->setVar('pw_lost_show', 0);
}
-
+
$app->tpl->setVar('error', $error);
$app->tpl->setVar('error_txt', $app->lng('error_txt'));
$app->tpl->setVar('login_txt', $app->lng('login_txt'));