ISPConfig 3

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Frontend
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Normal
  • Reported Version GIT/Master
  • Due in Version 3.0.2
  • Due Date Undecided
  • Votes 0
  • Private No
Attached to Project: ISPConfig 3
Opened by Mark D. (matida) - 2010-01-19
Last edited by Till (Till) - 2010-01-21

FS#1032 - Change Password bugged

Hi,

if i create a new user, the password in the sys_user table is crypt and i can login fine.
If i change change the password with Tools / Password, the password will be encrypted in MD5 ($1$)
and i can't log into the gui anymore (svn rev 1542).

Greets
Mark

This task does not depend on any other tasks.

Closed by  Till (Till)
Thursday, 21 January 2010, 10:15 GMT
Reason for closing:  Fixed
Till (Till)
Wednesday, 20 January 2010, 11:24 GMT
I'am not able to reproduce that. The encryption in MD5 is correct and normal crypt will work as well. I just tested the current SVN version and the login works fine independantly if the password is changed under system or tools.
Mark D. (matida)
Wednesday, 20 January 2010, 12:02 GMT
I reproduced the bug on 2 different servers. I create a mysql log this evening.
Mark D. (matida)
Wednesday, 20 January 2010, 17:58 GMT
Hi,

ok. I login as admin, go to Tools / Change Password and type in "test99" in this case:

100120 18:50:21 25 Connect ispconfig@localhost on
25 Query SET NAMES utf8
25 Init DB dbispconfig
25 Query SELECT sys_userid FROM `sys_user` WHERE userid = 1
25 Init DB dbispconfig
25 Query UPDATE `sys_user` SET `passwort` = '$1$\\GUF~P\\V$MF.X3kptEDFH.iZ4SuzwK/', `language` = 'de' WHERE userid = 1
25 Quit

I log out and try to login with the new password. All i see in the mysql log is:

100120 18:50:26 26 Connect ispconfig@localhost on
26 Query SET NAMES utf8
26 Init DB dbispconfig
26 Query SELECT * FROM `attempts_login` WHERE `ip`= '3232235521' AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1
26 Init DB dbispconfig
26 Query SELECT * FROM sys_user WHERE USERNAME = 'admin'
26 Init DB dbispconfig
26 Query INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('3232235521', 1, NOW())
26 Quit

And can't login. After that i put the old password back in the passwort field and started over... This time i see "$1$qb|U{JGX$pNghKoV9NpbO4udN7xyxV." as password and this time it works. WTF?!

Very strange. I try some more.
Mark D. (matida)
Wednesday, 20 January 2010, 18:14 GMT
Ah,

OK. I have the problem. I retried and retried and now i had it again...

50 Query UPDATE `sys_user` SET `passwort` = '$1$X~\\PRBMe$5OgKfbfx5Tse/sbPTBhin.', `language` = 'de' WHERE userid = 1
50 Quit

Had to retry ~ 10 times, then the password had \\ in it again and the login fails. Passwords with \\ work fine.

Greets
Mark
Mark D. (matida)
Wednesday, 20 January 2010, 18:15 GMT
Passwords *without* \\ work fine.
Till (Till)
Thursday, 21 January 2010, 10:15 GMT
Ok. Thanks for your tests. I limited the characters that can be used for the salt so that they do not contain backslashes.

Loading...