Changed default encryption method for ispconfig controlpanel users from md5 to crypt-md5.

interface/web/admin/form/users.tform.php

@@ -158,6 +158,7 @@ $form['tabs']['users'] = array (
 		'passwort' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
+			'encryption'=> 'CRYPT',
 			'regex'		=> '',
 			'errmsg'	=> '',
 			'default'	=> '',

interface/web/client/form/client.tform.php

@@ -119,7 +119,7 @@ $form["tabs"]['address'] = array (
 		'password' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
-			'encryption'=> 'MD5',
+			'encryption'=> 'CRYPT',
 			'default'	=> '',
 			'value'		=> '',
 			'separator'	=> '',

interface/web/login/index.php

@@ -58,8 +58,8 @@ class login_index {
 		if(count($_POST) > 0) {
 			
 			//** Check variables
-			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';
-			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';
+			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
+			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
 			
 	        //** iporting variables
 	        $ip 	  = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
@@ -105,10 +105,29 @@ class login_index {
 	        	} else {
 					if ($loginAs){
 			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
+						$user = $app->db->queryOneRecord($sql);
 					} else {
-			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";
-					}
+			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
 						$user = $app->db->queryOneRecord($sql);
+						if($user && $user['active'] == 1) {
+							$saved_password = stripslashes($user['passwort']);
+							if(substr($saved_password,0,3) == '$1$') {
+								//* The password is crypt-md5 encrypted
+								$salt = '$1$'.substr($saved_password,3,8).'$';
+								if(crypt($passwort,$salt) != $saved_password) {
+									$user = false;
+								}
+							} else {
+								//* The password is md5 encrypted
+								if(md5($passwort) != $saved_password) {
+									$user = false;
+								}
+							}
+						} else {
+							$user = false;
+						}
+					}
+		            
 		            if($user) {
 		                if($user['active'] == 1) {
 		                	// User login right, so attempts can be deleted

interface/web/login/lib/lang/en.lng

@@ -12,4 +12,7 @@ $wb['pw_error_noinput'] = 'Please enter email address and username.';
 $wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
 $wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
 
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+
 ?>
\ No newline at end of file

interface/web/login/lib/lang/es.lng

@@ -9,4 +9,6 @@ $wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
 $wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
 $wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
 $wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
 ?>

interface/web/login/lib/lang/fr.lng

@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Username or email address does not match.';
 $wb['pw_error_noinput'] = 'Please enter email address and username.';
 $wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
 $wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
 ?>

interface/web/login/lib/lang/it.lng

@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Nome utente o email non corrispondenti.';
 $wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
 $wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
 $wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
 ?>

interface/web/login/lib/lang/nl.lng

@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
 $wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
 $wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
 $wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
 ?>

interface/web/login/lib/lang/se.lng

@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Username or email address does not match.';
 $wb['pw_error_noinput'] = 'Please enter email address and username.';
 $wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
 $wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
 ?>

interface/web/login/password_reset.php

@@ -43,17 +43,27 @@ $app->tpl->setVar($wb);
 
 if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
 	
+	if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
+	if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));
+	
 	$username = $app->db->quote($_POST['username']);
 	$email = $app->db->quote($_POST['email']);
 	
-	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
+	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");
 	
 	if($client['client_id'] > 0) {
 		$new_password = md5 (uniqid (rand()));
-		$new_password = $app->db->quote($new_password);
+		$salt="$1$";
+		for ($n=0;$n<11;$n++) {
+			$salt.=chr(mt_rand(64,126));
+		}
+		$salt.="$";
+		$new_password_encrypted = crypt($new_password,$salt);
+		$new_password_encrypted = $app->db->quote($new_password_encrypted);
+		
 		$username = $app->db->quote($client['username']);
-		$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
-		$app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
+		$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
+		$app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");
 		$app->tpl->setVar("message",$wb['pw_reset']);
 		
 		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);

interface/web/tools/form/user_settings.tform.php

@@ -104,6 +104,7 @@ $form['tabs']['users'] = array (
 		'passwort' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
+			'encryption'=> 'CRYPT',
 			'regex'		=> '',
 			'errmsg'	=> '',
 			'default'	=> '',