Development

Wiki Start
Wishlist
Timeline
Roadmap
Browse Source
New Ticket
View Tickets

Ticket #1372 (closed defect: fixed)

Opened 3 months ago

Last modified 3 months ago

Proftpd accept autentificate with password made by first 8 chars of the original password

Reported by: sci2tech Assigned to:
Priority: major Milestone: ispCP ω 1.0.0 - RC6
Component: Backend (Engine) Version: ispCP ω 1.0.0 - RC5
Severity: Don't know Keywords:
Cc:

Description

If a password exceed 8 characters first 8 are enough to enter acount. See http://www.isp-control.net/forum/ending-numbers-ignored-on-ftp-password-t-3658.html problem is generated by using DES method instead MD5. Please see the patch

Attachments

patch.txt (0.7 kB) - added by sci2tech on 07/01/08 20:20:59.
Proftpd accept autentificate with password made by first 8 chars of the original password

Change History

07/01/08 20:20:59 changed by sci2tech

  • attachment patch.txt added.

Proftpd accept autentificate with password made by first 8 chars of the original password

(follow-up: ↓ 2 ) 07/01/08 20:30:57 changed by kilburn

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in r1255 . I simply removed the salt argument from the "crypt()" call, because this way it will automatically generate an md5 salt stronger than the 2-chars algorithm previously used.

(in reply to: ↑ 1 ) 07/01/08 20:41:30 changed by rats

Replying to kilburn:

automatically generate an md5 salt stronger than the 2-chars algorithm previously used.

That's not correct. DES with 2 char-Salt is the default. Some systems use MD5 with 12 chars.

07/01/08 20:41:34 changed by rats

  • milestone changed from Working to ispCP ω 1.0.0 - RC6.

07/01/08 21:52:11 changed by kilburn

Debian (both etch and lenny) use md5 as system default hashing, so their php "crypt()" function also uses it. I don't really know about other distros but I suspect they're just the same.

Add/Change #1372 (Proftpd accept autentificate with password made by first 8 chars of the original password)




Action