Due to errors in parsing authorization file, i've rewrited some part of PHP: There is a purposed patch: (same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php) [PRE] +++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000 @@ -53,9 +53,13 @@ if($client['client_id'] > 0) { $new_password = md5 (uniqid (rand())); + $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m","n", + "o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E", + "F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V", + "W","X","Y","Z","0","1","2","3","4","5","6","7","8","9",".","/"); $salt="$1$"; for ($n=0;$n<11;$n++) { - $salt.=chr(mt_rand(64,126)); + $salt.=$saltpack[rand(0,63)]; } $salt.="$"; $new_password_encrypted = crypt($new_password,$salt); [/PRE]
Due to errors in parsing authorization file, i've rewrited some part of PHP: There is a purposed patch: (same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php) <PRE> +++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000 @@ -53,9 +53,13 @@ if($client['client_id'] > 0) { $new_password = md5 (uniqid (rand())); + $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m","n", + "o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E", + "F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V", + "W","X","Y","Z","0","1","2","3","4","5","6","7","8","9",".","/"); $salt="$1$"; for ($n=0;$n<11;$n++) { - $salt.=chr(mt_rand(64,126)); + $salt.=$saltpack[rand(0,63)]; } $salt.="$"; $new_password_encrypted = crypt($new_password,$salt); </PRE>
Which ISPConfig version did you use? The fix that has been applied to the salt generation of the normal form library a few weeks ago and which gets released as part of ISPConfig 3.0.2 was not applied to the corresponding function of the remoting lib and the password reset function. I applied the changes to the remoting lib and password reset now too to fix the issue you pointed out, please check if it works now for you.
I've encountered problems with old version 2, but recently, I downloaded version 3.0.1.6 on 5 march. Ok. I will download last version and try an updrade...
The changes are in SVN. If your system is used in production, you should wait for the release 0f the 3.0.2 final. If its a test system, update the installation to svn by running: ispconfig_update.sh and then choose svn as update source.
rand 64-126 I've downloaded the version ISPConfig-3.0.2-rc1.tar.gz and a little ``find . -type f -print0 | xargs -0 grep -Hi rand.*64.126'' show always 3 files: web/login/password_reset.php, lib/classes/tform.inc.php and lib/classes/remoting_lib.inc.php. There are a problem with many characters between 64 and 126: pipe, backslash, and so on. This could make problem when parsing some config files, like postfix's userdb... At all to obtain 63 characters as ``saltpack'', you don't use numbers.
As I posted above, the code has been changed in SVN and not in RC1. The Code in SVN uses only characters for salts that are ok. You should not rely on find. Find can neither tell you if a bit of code is used nor if its commented out.
