Hardening password checks

Author: Serghey Rodin

bin/v-check-user-password

@@ -82,7 +82,7 @@ if [ -z "$salt" ]; then
 fi
 
 # Generating hash
-hash=$($BIN/v-generate-password-hash $method $salt <<< $password)
+hash=$($BIN/v-generate-password-hash $method $salt <<< "$password")
 if [[ -z "$hash" ]]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log

func/main.sh

@@ -273,7 +273,7 @@ is_object_value_exist() {
 is_password_valid() {
     if [[ "$password" =~ ^/tmp/ ]]; then
         if [ -f "$password" ]; then
-            password=$(head -n1 $password)
+            password="$(head -n1 $password)"
         fi
     fi
 }

web/api/index.php

@@ -18,13 +18,15 @@
         fwrite($fp, $_POST['password']."\n");
         fclose($fp);
         $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." '".$v_ip_addr."'",  $output, $auth_code);
         unlink($v_password);
+    /* No hash auth for security reason
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {
             $auth_code = '0';
         }
+    */
     }
 
     if ($auth_code != 0 ) {

web/login/index.php

@@ -44,7 +44,7 @@
         fclose($fp);
 
         // Check user & password
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
         unset($output);
 
         // Remove tmp file