Commit f6812227 authored by tbrehm's avatar tbrehm
Browse files

Changed default encryption method for ispconfig controlpanel users from md5 to crypt-md5.

parent 7b56208b
......@@ -158,6 +158,7 @@ $form['tabs']['users'] = array (
'passwort' => array (
'datatype' => 'VARCHAR',
'formtype' => 'PASSWORD',
'encryption'=> 'CRYPT',
'regex' => '',
'errmsg' => '',
'default' => '',
......
......@@ -119,7 +119,7 @@ $form["tabs"]['address'] = array (
'password' => array (
'datatype' => 'VARCHAR',
'formtype' => 'PASSWORD',
'encryption'=> 'MD5',
'encryption'=> 'CRYPT',
'default' => '',
'value' => '',
'separator' => '',
......
......@@ -58,8 +58,8 @@ class login_index {
if(count($_POST) > 0) {
//** Check variables
if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';
if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';
if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
//** iporting variables
$ip = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
......@@ -105,10 +105,29 @@ class login_index {
} else {
if ($loginAs){
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
$user = $app->db->queryOneRecord($sql);
} else {
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";
}
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
$user = $app->db->queryOneRecord($sql);
if($user && $user['active'] == 1) {
$saved_password = stripslashes($user['passwort']);
if(substr($saved_password,0,3) == '$1$') {
//* The password is crypt-md5 encrypted
$salt = '$1$'.substr($saved_password,3,8).'$';
if(crypt($passwort,$salt) != $saved_password) {
$user = false;
}
} else {
//* The password is md5 encrypted
if(md5($passwort) != $saved_password) {
$user = false;
}
}
} else {
$user = false;
}
}
if($user) {
if($user['active'] == 1) {
// User login right, so attempts can be deleted
......
......@@ -12,4 +12,7 @@ $wb['pw_error_noinput'] = 'Please enter email address and username.';
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
\ No newline at end of file
......@@ -9,4 +9,6 @@ $wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
......@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Username or email address does not match.';
$wb['pw_error_noinput'] = 'Please enter email address and username.';
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
......@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Nome utente o email non corrispondenti.';
$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
......@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
......@@ -9,4 +9,6 @@ $wb['pw_error'] = 'Username or email address does not match.';
$wb['pw_error_noinput'] = 'Please enter email address and username.';
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
$wb['pw_error_length'] = 'The password length is > 64 characters.';
?>
......@@ -43,17 +43,27 @@ $app->tpl->setVar($wb);
if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));
$username = $app->db->quote($_POST['username']);
$email = $app->db->quote($_POST['email']);
$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");
if($client['client_id'] > 0) {
$new_password = md5 (uniqid (rand()));
$new_password = $app->db->quote($new_password);
$salt="$1$";
for ($n=0;$n<11;$n++) {
$salt.=chr(mt_rand(64,126));
}
$salt.="$";
$new_password_encrypted = crypt($new_password,$salt);
$new_password_encrypted = $app->db->quote($new_password_encrypted);
$username = $app->db->quote($client['username']);
$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
$app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
$app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");
$app->tpl->setVar("message",$wb['pw_reset']);
mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
......
......@@ -104,6 +104,7 @@ $form['tabs']['users'] = array (
'passwort' => array (
'datatype' => 'VARCHAR',
'formtype' => 'PASSWORD',
'encryption'=> 'CRYPT',
'regex' => '',
'errmsg' => '',
'default' => '',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment