From 646e44b05947933136259a2f81a0fa8b66506044 Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Fri, 8 Dec 2017 09:37:37 +0100
Subject: [PATCH] Increase security by random password for admin-user during
 install (Fixes #4874)

---
 install/install.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/install.php b/install/install.php
index 1b55a3dae6..50e19e943e 100644
--- a/install/install.php
+++ b/install/install.php
@@ -551,8 +551,9 @@ if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPCon
 
 	//** Customise the port ISPConfig runs on
 	$ispconfig_vhost_port = $inst->free_query('ISPConfig Port', '8080','ispconfig_port');
-	$conf['interface_password'] = $inst->free_query('Admin password', 'admin','ispconfig_admin_password');
-	if($conf['interface_password'] != 'admin') {
+	$temp_admin_password = str_shuffle(bin2hex(openssl_random_pseudo_bytes(4)));
+	$conf['interface_password'] = $inst->free_query('Admin password', $temp_admin_password, 'ispconfig_admin_password');
+	if($conf['interface_password'] != $temp_admin_password) {
 		$check = false;
 		do {
 			unset($temp_password);
@@ -563,6 +564,7 @@ if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPCon
 	}
 	unset($check);
 	unset($temp_password);
+	unset($temp_admin_password);
 	if($conf['apache']['installed'] == true) $conf['apache']['vhost_port']  = $ispconfig_vhost_port;
 	if($conf['nginx']['installed'] == true) $conf['nginx']['vhost_port']  = $ispconfig_vhost_port;
 	unset($ispconfig_vhost_port);
-- 
GitLab