[1/5] chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars
Commit Message
- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
the password hashing, which is very insecure. The only alternative with this module
is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
be set to use the bcrypt hash which is considered secure. This is used for the
generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
can manage different encoding hashes in the one file.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/chpasswd.cgi | 32 ++++++++++++++------------------
1 file changed, 14 insertions(+), 18 deletions(-)
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -20,8 +20,6 @@
###############################################################################
use CGI qw(param);
-use Apache::Htpasswd;
-use Crypt::PasswdMD5;
$swroot = "/var/ipfire";
@@ -76,21 +74,19 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
goto ERROR;
}
- my $htpasswd = new Apache::Htpasswd("$userdb");
-
- # Check if a user with this name exists
- my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'});
- if (!$old_password) {
- $errormessage = $tr{'advproxy errmsg invalid user'};
- goto ERROR;
- }
-
- # Reset password
- if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'},
- $cgiparams{'OLD_PASSWORD'})) {
- $errormessage = $tr{'advproxy errmsg password incorrect'};
- goto ERROR;
- }
+ # Check if a user with this name and password exists in the userdb file
+ # and if it does then change the password to the new one
+ my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb");
+ my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
+ if (!$user) {
+ $errormessage = $tr{'advproxy errmsg invalid user'};
+ goto ERROR;
+ } elsif (!old_password) {
+ $errormessage = $tr{'advproxy errmsg password incorrect'};
+ goto ERROR;
+ } else {
+ &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}");
+ }
$success = 1;
undef %cgiparams;