Possible security problem

Hello,

my name is Bernhard Grün and I use ISPConfig since some time ago (without any problems). During a security audit (with Version 2.2.0) I saw a problem in my /etc/shadow file:

Code:

web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::

As you can see my username is web4_bjmg and the password is only crypted - without md5 (this alone is a problem by itself!). But the problem I see is MUCH bigger.
The password for the account above is tester at the moment. As you can see the first two chars of the crypted password string are "te". So the effective password length goes down by 2! This makes word list attacks easy. This should be changed soon I think.
This is the corresponding code from the mailuser backend:

Code:

$rec["user_passwort"] = "||||:".crypt(trim($_POST["user_passwort"]),substr(trim($_POST["user_passwort"]),0,2));

As you can see it just uses the first two chars of the password string as salt. This is NOT good. Normally the salt should be something like crc16 of the username. I mean a function that outputs two bytes from a input string of variable length. This makes it harder to compare passwords against other passwords.
Example:

Code:

web4_bjmg:teCi1U7ES.EJw:13216:0:99999:7:::
web1_info:teCi1U7ES.EJw:13216:0:99999:7:::

As you can see both hashed passwords are the same. True - they are the same. This means that if one account is hacked all accounts with the same password are hacked too (even if the persons are NOT connected to eachother).

I would really love to see this fixed because it makes ISPConfig much more secure.
There is also a setting in config.inc.php:

Code:

$go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5

Changeing that to md5 does nothing. At least I didn't found a code line that uses this password_hash variable.


Best wishes

Bernhard

 

Thanks for fixing it!

Bernhard