gitlabFork/ISPConfig3.git - Solinfo Gitblit

parent: 7b56208b | patch | commit | show whitespace

Changed default encryption method for ispconfig controlpanel users from md5...

tbrehm

2009-03-23 f68122272dcca8694ccac70578b0fc35d3d70e06

Changed default encryption method for ispconfig controlpanel users from md5 to crypt-md5.

11 files modified

	interface/web/admin/form/users.tform.php	1 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/client/form/client.tform.php	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/index.php	29 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/en.lng	3 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/es.lng	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/fr.lng	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/it.lng	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/nl.lng	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/lib/lang/se.lng	2 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/login/password_reset.php	18 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/tools/form/user_settings.tform.php	1 ●●●●● patch \| view \| raw \| blame \| history

 interface/web/admin/form/users.tform.php

@@ -158,6 +158,7 @@
        'passwort' => array (

            'datatype'    => 'VARCHAR',

            'formtype'    => 'PASSWORD',

            'encryption'=> 'CRYPT',

            'regex'        => '',

            'errmsg'    => '',

            'default'    => '',


 interface/web/client/form/client.tform.php

@@ -119,7 +119,7 @@
        'password' => array (

            'datatype'    => 'VARCHAR',

            'formtype'    => 'PASSWORD',

            'encryption'=> 'MD5',

            'encryption'=> 'CRYPT',

            'default'    => '',

            'value'        => '',

            'separator'    => '',


 interface/web/login/index.php

@@ -58,8 +58,8 @@
        if(count($_POST) > 0) {

            

            //** Check variables

            if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';

            if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';

            if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');

            if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');

            

            //** iporting variables

            $ip       = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));

@@ -105,10 +105,29 @@
                } else {

                    if ($loginAs){

                        $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";

                    } else {

                        $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";

                    }

                    $user = $app->db->queryOneRecord($sql);

                    } else {

                        $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";

                        $user = $app->db->queryOneRecord($sql);

                        if($user && $user['active'] == 1) {

                            $saved_password = stripslashes($user['passwort']);

                            if(substr($saved_password,0,3) == '$1$') {

                                //* The password is crypt-md5 encrypted

                                $salt = '$1$'.substr($saved_password,3,8).'$';

                                if(crypt($passwort,$salt) != $saved_password) {

                                    $user = false;

                                }

                            } else {

                                //* The password is md5 encrypted

                                if(md5($passwort) != $saved_password) {

                                    $user = false;

                                }

                            }

                        } else {

                            $user = false;

                        }

                    }

		            
                    if($user) {

                        if($user['active'] == 1) {

                            // User login right, so attempts can be deleted


 interface/web/login/lib/lang/en.lng

@@ -12,4 +12,7 @@
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';

$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';



?>

 interface/web/login/lib/lang/es.lng

@@ -9,4 +9,6 @@
$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';

?>

 interface/web/login/lib/lang/fr.lng

@@ -9,4 +9,6 @@
$wb['pw_error_noinput'] = 'Please enter email address and username.';
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';

?>

 interface/web/login/lib/lang/it.lng

@@ -9,4 +9,6 @@
$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';

?>

 interface/web/login/lib/lang/nl.lng

@@ -9,4 +9,6 @@
$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';

?>

 interface/web/login/lib/lang/se.lng

@@ -9,4 +9,6 @@
$wb['pw_error_noinput'] = 'Please enter email address and username.';
$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';

$wb['pw_error_length'] = 'The password length is > 64 characters.';

?>

 interface/web/login/password_reset.php

@@ -43,17 +43,27 @@

if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
    
    if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));

    if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));

	
    $username = $app->db->quote($_POST['username']);
    $email = $app->db->quote($_POST['email']);
    
    $client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
    $client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");

    
    if($client['client_id'] > 0) {
        $new_password = md5 (uniqid (rand()));
        $new_password = $app->db->quote($new_password);
        $salt="$1$";

        for ($n=0;$n<11;$n++) {

            $salt.=chr(mt_rand(64,126));

        }

        $salt.="$";

        $new_password_encrypted = crypt($new_password,$salt);

        $new_password_encrypted = $app->db->quote($new_password_encrypted);

		
        $username = $app->db->quote($client['username']);
        $app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
        $app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
        $app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");

        $app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");

        $app->tpl->setVar("message",$wb['pw_reset']);
        
        mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);

 interface/web/tools/form/user_settings.tform.php

@@ -104,6 +104,7 @@
        'passwort' => array (
            'datatype'    => 'VARCHAR',
            'formtype'    => 'PASSWORD',
            'encryption'=> 'CRYPT',

            'regex'        => '',
            'errmsg'    => '',
            'default'    => '',

			@@ -158,6 +158,7 @@
			'passwort' => array (
			'datatype' => 'VARCHAR',
			'formtype' => 'PASSWORD',
			'encryption'=> 'CRYPT',
			'regex' => '',
			'errmsg' => '',
			'default' => '',

			@@ -119,7 +119,7 @@
			'password' => array (
			'datatype' => 'VARCHAR',
			'formtype' => 'PASSWORD',
			'encryption'=> 'MD5',
			'encryption'=> 'CRYPT',
			'default' => '',
			'value' => '',
			'separator' => '',

			@@ -58,8 +58,8 @@
			if(count($_POST) > 0) {

			//** Check variables
			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';
			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';
			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');

			//** iporting variables
			$ip = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
			@@ -105,10 +105,29 @@
			} else {
			if ($loginAs){
			$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
			} else {
			$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";
			}
			$user = $app->db->queryOneRecord($sql);
			} else {
			$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
			$user = $app->db->queryOneRecord($sql);
			if($user && $user['active'] == 1) {
			$saved_password = stripslashes($user['passwort']);
			if(substr($saved_password,0,3) == '$1$') {
			//* The password is crypt-md5 encrypted
			$salt = '$1$'.substr($saved_password,3,8).'$';
			if(crypt($passwort,$salt) != $saved_password) {
			$user = false;
			}
			} else {
			//* The password is md5 encrypted
			if(md5($passwort) != $saved_password) {
			$user = false;
			}
			}
			} else {
			$user = false;
			}
			}

			if($user) {
			if($user['active'] == 1) {
			// User login right, so attempts can be deleted

			@@ -12,4 +12,7 @@
			$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
			$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';

			$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
			$wb['pw_error_length'] = 'The password length is > 64 characters.';

			?>

			@@ -9,4 +9,6 @@
			$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
			$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
			$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
			$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
			$wb['pw_error_length'] = 'The password length is > 64 characters.';
			?>

			@@ -9,4 +9,6 @@
			$wb['pw_error_noinput'] = 'Please enter email address and username.';
			$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
			$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
			$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
			$wb['pw_error_length'] = 'The password length is > 64 characters.';
			?>

			@@ -9,4 +9,6 @@
			$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
			$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
			$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
			$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
			$wb['pw_error_length'] = 'The password length is > 64 characters.';
			?>

			@@ -9,4 +9,6 @@
			$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
			$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
			$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
			$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
			$wb['pw_error_length'] = 'The password length is > 64 characters.';
			?>

			@@ -43,17 +43,27 @@

			if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {

			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
			if(!preg_match("/^\w+[\w.-]\w+@\w+[\w.-]\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));

			$username = $app->db->quote($_POST['username']);
			$email = $app->db->quote($_POST['email']);

			$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
			$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");

			if($client['client_id'] > 0) {
			$new_password = md5 (uniqid (rand()));
			$new_password = $app->db->quote($new_password);
			$salt="$1$";
			for ($n=0;$n<11;$n++) {
			$salt.=chr(mt_rand(64,126));
			}
			$salt.="$";
			$new_password_encrypted = crypt($new_password,$salt);
			$new_password_encrypted = $app->db->quote($new_password_encrypted);

			$username = $app->db->quote($client['username']);
			$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
			$app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
			$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
			$app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");
			$app->tpl->setVar("message",$wb['pw_reset']);

			mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);

			@@ -104,6 +104,7 @@
			'passwort' => array (
			'datatype' => 'VARCHAR',
			'formtype' => 'PASSWORD',
			'encryption'=> 'CRYPT',
			'regex' => '',
			'errmsg' => '',
			'default' => '',