Changed default encryption method for ispconfig controlpanel users from md5 to crypt-md5.

Author: tbrehm

interface/web/admin/form/users.tform.php

@@ -158,6 +158,7 @@
 		'passwort' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
+			'encryption'=> 'CRYPT',
 			'regex'		=> '',
 			'errmsg'	=> '',
 			'default'	=> '',

interface/web/client/form/client.tform.php

@@ -119,7 +119,7 @@
 		'password' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
-			'encryption'=> 'MD5',
+			'encryption'=> 'CRYPT',
 			'default'	=> '',
 			'value'		=> '',
 			'separator'	=> '',

interface/web/login/index.php

@@ -58,8 +58,8 @@ public function render() {
 		if(count($_POST) > 0) {
 
 			//** Check variables
-			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';
-			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';
+			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
+			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
 
 	        //** iporting variables
 	        $ip 	  = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
@@ -105,10 +105,29 @@ public function render() {
 	        	} else {
 					if ($loginAs){
 			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
+						$user = $app->db->queryOneRecord($sql);
 					} else {
-			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";
+			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
+						$user = $app->db->queryOneRecord($sql);
+						if($user && $user['active'] == 1) {
+							$saved_password = stripslashes($user['passwort']);
+							if(substr($saved_password,0,3) == '$1$') {
+								//* The password is crypt-md5 encrypted
+								$salt = '$1$'.substr($saved_password,3,8).'$';
+								if(crypt($passwort,$salt) != $saved_password) {
+									$user = false;
+								}
+							} else {
+								//* The password is md5 encrypted
+								if(md5($passwort) != $saved_password) {
+									$user = false;
+								}
+							}
+						} else {
+							$user = false;
+						}
 					}
-		            $user = $app->db->queryOneRecord($sql);
+		            
 		            if($user) {
 		                if($user['active'] == 1) {
 		                	// User login right, so attempts can be deleted

interface/web/login/lib/lang/en.lng

@@ -1,15 +1,18 @@
-<?php
-
-$wb[1001]	= "Username or Password empty.";
-$wb[1002]	= "Username or Password wrong.";
-$wb[1003]	= "User is blocked.";
-$wb[1004]	= "To many wrong login's, Please retry it after 15 minutes";
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-
+<?php
+
+$wb[1001]	= "Username or Password empty.";
+$wb[1002]	= "Username or Password wrong.";
+$wb[1003]	= "User is blocked.";
+$wb[1004]	= "To many wrong login's, Please retry it after 15 minutes";
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+
 ?>

interface/web/login/lib/lang/es.lng

@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Usuario o contraseña vacíos.';
-$wb['1002'] = 'Usuario o contraseña incorrectos.';
-$wb['1003'] = 'El usuario está bloqueado';
-$wb['1004'] = 'Demasiados intentos erroneos, por favor, inténtelo dentro de 15 minutos.';
-$wb['pass_reset_txt'] = 'Se generará una nueva contraseña que se le enviará a la cuenta de correo que tiene configurada.';
-$wb['pw_reset'] = 'La contraseña ha sido reseteada y enviada a su cuenta de correo.';
-$wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
-$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
-$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
-$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
-?>
+<?php
+$wb['1001'] = 'Usuario o contraseña vacíos.';
+$wb['1002'] = 'Usuario o contraseña incorrectos.';
+$wb['1003'] = 'El usuario está bloqueado';
+$wb['1004'] = 'Demasiados intentos erroneos, por favor, inténtelo dentro de 15 minutos.';
+$wb['pass_reset_txt'] = 'Se generará una nueva contraseña que se le enviará a la cuenta de correo que tiene configurada.';
+$wb['pw_reset'] = 'La contraseña ha sido reseteada y enviada a su cuenta de correo.';
+$wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
+$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
+$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
+$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>

interface/web/login/lib/lang/fr.lng

@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Nom dutilisateur ou mot de passe vide.';
-$wb['1002'] = 'Nom dutilisateur ou mot de passe faux.';
-$wb['1003'] = 'Utilisateur bloqu�.';
-$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-?>
+<?php
+$wb['1001'] = 'Nom dutilisateur ou mot de passe vide.';
+$wb['1002'] = 'Nom dutilisateur ou mot de passe faux.';
+$wb['1003'] = 'Utilisateur bloqu�.';
+$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>

interface/web/login/lib/lang/it.lng

@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Nome utente o Password vuoti.';
-$wb['1002'] = 'Nome utente o Password errati.';
-$wb['1003'] = 'Utente bloccato.';
-$wb['1004'] = 'Troppi tentativi di login errati, Riprova tra 15 minuti';
-$wb['pass_reset_txt'] = 'Una nuova password sarà generata e spedita alla tua email se l`email inserita corrisponde a quella delle impostazioni dell`utente.';
-$wb['pw_reset'] = 'La password è stata reimpostata e spedita al tuo indirizzo mail.';
-$wb['pw_error'] = 'Nome utente o email non corrispondenti.';
-$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
-$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
-$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
-?>
+<?php
+$wb['1001'] = 'Nome utente o Password vuoti.';
+$wb['1002'] = 'Nome utente o Password errati.';
+$wb['1003'] = 'Utente bloccato.';
+$wb['1004'] = 'Troppi tentativi di login errati, Riprova tra 15 minuti';
+$wb['pass_reset_txt'] = 'Una nuova password sarà generata e spedita alla tua email se l`email inserita corrisponde a quella delle impostazioni dell`utente.';
+$wb['pw_reset'] = 'La password è stata reimpostata e spedita al tuo indirizzo mail.';
+$wb['pw_error'] = 'Nome utente o email non corrispondenti.';
+$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
+$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
+$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>

interface/web/login/lib/lang/nl.lng

@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Gebruikersnaam of wachtwoord is leeg.';
-$wb['1002'] = 'Gebruikersnaam of wachtwoord ongeldig.';
-$wb['1003'] = 'Gebruiker is geblokkeerd.';
-$wb['1004'] = 'Teveel ongeldige login pogingen, Probeer het na 15 minuten opnieuw.';
-$wb['pass_reset_txt'] = 'Een nieuw wachtwoord zal worden gegenereerd en na het hierboven ingevulde Emailadres worden gestuurd, op voorwaarde dat het Emailadres overeenkomt met het Emailadres in uw klanten-settings';
-$wb['pw_reset'] = 'Het wachtwoord is gereset en is verzonden aan uw Emailadres.';
-$wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
-$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
-$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
-$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
-?>
+<?php
+$wb['1001'] = 'Gebruikersnaam of wachtwoord is leeg.';
+$wb['1002'] = 'Gebruikersnaam of wachtwoord ongeldig.';
+$wb['1003'] = 'Gebruiker is geblokkeerd.';
+$wb['1004'] = 'Teveel ongeldige login pogingen, Probeer het na 15 minuten opnieuw.';
+$wb['pass_reset_txt'] = 'Een nieuw wachtwoord zal worden gegenereerd en na het hierboven ingevulde Emailadres worden gestuurd, op voorwaarde dat het Emailadres overeenkomt met het Emailadres in uw klanten-settings';
+$wb['pw_reset'] = 'Het wachtwoord is gereset en is verzonden aan uw Emailadres.';
+$wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
+$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
+$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
+$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>

interface/web/login/lib/lang/se.lng

@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Anv�ndarnamn eller L�senord �r tomt.';
-$wb['1002'] = 'Felaktigt Anv�ndarnamn eller L�senord.';
-$wb['1003'] = 'Anv�ndaren �r sp�rrad.';
-$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-?>
+<?php
+$wb['1001'] = 'Anv�ndarnamn eller L�senord �r tomt.';
+$wb['1002'] = 'Felaktigt Anv�ndarnamn eller L�senord.';
+$wb['1003'] = 'Anv�ndaren �r sp�rrad.';
+$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>

interface/web/login/password_reset.php

@@ -1,78 +1,88 @@
-<?php
-
-/*
-Copyright (c) 2008, Till Brehm, projektfarm Gmbh
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright notice,
-      this list of conditions and the following disclaimer in the documentation
-      and/or other materials provided with the distribution.
-    * Neither the name of ISPConfig nor the names of its contributors
-      may be used to endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
-OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
-
-// Loading the template
-$app->uses('tpl');
-$app->tpl->newTemplate("form.tpl.htm");
-$app->tpl->setInclude('content_tpl','templates/password_reset.htm');
-
-$app->tpl_defaults();
-
-include(ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng');
-$app->tpl->setVar($wb);
-
-if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
-	
-	$username = $app->db->quote($_POST['username']);
-	$email = $app->db->quote($_POST['email']);
-	
-	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
-	
-	if($client['client_id'] > 0) {
-		$new_password = md5 (uniqid (rand()));
-		$new_password = $app->db->quote($new_password);
-		$username = $app->db->quote($client['username']);
-		$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
-		$app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
-		$app->tpl->setVar("message",$wb['pw_reset']);
-		
-		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
-		
-	} else {
-		$app->tpl->setVar("message",$wb['pw_error']);
-	}
-	
-} else {
-	$app->tpl->setVar("message",$wb['pw_error_noinput']);
-}
-
-
-
-$app->tpl_defaults();
-$app->tpl->pparse();
-
-
-
-
-
+<?php
+
+/*
+Copyright (c) 2008, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once('../../lib/config.inc.php');
+require_once('../../lib/app.inc.php');
+
+// Loading the template
+$app->uses('tpl');
+$app->tpl->newTemplate("form.tpl.htm");
+$app->tpl->setInclude('content_tpl','templates/password_reset.htm');
+
+$app->tpl_defaults();
+
+include(ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng');
+$app->tpl->setVar($wb);
+
+if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
+	
+	if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
+	if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));
+	
+	$username = $app->db->quote($_POST['username']);
+	$email = $app->db->quote($_POST['email']);
+	
+	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");
+	
+	if($client['client_id'] > 0) {
+		$new_password = md5 (uniqid (rand()));
+		$salt="$1$";
+		for ($n=0;$n<11;$n++) {
+			$salt.=chr(mt_rand(64,126));
+		}
+		$salt.="$";
+		$new_password_encrypted = crypt($new_password,$salt);
+		$new_password_encrypted = $app->db->quote($new_password_encrypted);
+		
+		$username = $app->db->quote($client['username']);
+		$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
+		$app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");
+		$app->tpl->setVar("message",$wb['pw_reset']);
+		
+		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
+		
+	} else {
+		$app->tpl->setVar("message",$wb['pw_error']);
+	}
+	
+} else {
+	$app->tpl->setVar("message",$wb['pw_error_noinput']);
+}
+
+
+
+$app->tpl_defaults();
+$app->tpl->pparse();
+
+
+
+
+
 ?>