GitLab

When trying to reset a password from ISPConfig main login screen, the user is prompted to enter his email address and username. Afterwards, he receives an email comprising his new password to log into ISPConfig. In my case, the newly generated password consisted of only 3 letters, e.g. the following passwords were created automatically:

• 35#
• _@3

Since this password can indeed be used to log into the account afterwards, this presents a serious security risk since three-digits passwords can easily be guessed using brute force attacks and some users may be tempted to leave this password as-is.

More detailed information about the system configuration used:

• ISPConfig 3.0.5.4p6
• Operating system: Debian Wheezy (7.8)
• Used PHP version: PHP 5.4.39-0+deb7u2

Password generation settings within ISPConfig:

• minimum password length: 8
• minimum password complexity: medium

It appears as if the following line in interface/lib/classes/auth.inc.php -> get_random_password is the culprit for this behaviour: $minLength = $minLength || 10;

Once deactivated, password generation worked as intended and resulted in passwords in line with the minimum password length policy.