From patchwork Tue May 6 14:10:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8703 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZsKzm4Dt0z3x4T for ; Tue, 6 May 2025 14:10:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZsKzj40kKz6Tn for ; Tue, 6 May 2025 14:10:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZsKzj0q4Kz33gK for ; Tue, 6 May 2025 14:10:25 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZsKzf1Cd3z2y7l for ; Tue, 6 May 2025 14:10:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZsKzd0PNFzfC; Tue, 6 May 2025 14:10:21 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1746540621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=M/AgkGCWQn1BaHA5sbSoMwwjGKUYNCjVUmaL2qPCN5Y=; b=OS+1yH/YjvI30Wks43z0y1U/IXA8CtzZyTtYTm9lUv8emwmyxa0+KqDXJLwBhicCdBYYPd ojEQmlQE5dunqXCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1746540621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=M/AgkGCWQn1BaHA5sbSoMwwjGKUYNCjVUmaL2qPCN5Y=; b=sUwlA+0pr1u2DTsTtXvPPPYvCw+TDugU1eDTLHRw4wQ94QRYKQX7yD0KIw5PdnVdRsEwqq BSLT5GLuQZFm7CMvnNT9k4Wb7JudbsKiCYBdsQ5OEACKVD+6Zw7zLMPAJ+8iaoX2Vn9SYY 7xDfc5WSSCEVQgxe8LPAxAlLQyZda3iumRqeoI072yUIlWiOP3zcHKKlyoUtoI9v4wwa2U vMtL5U00lhfRKu85odp7U9BIbb3W2kvDwvaJRNyWBnhs3IIVEPqStLSW63Y8yiV5f0PWbD lLykwNLw94TQaFo4mrcfVPEhi/7XYevM01/sDhu56qX+JlY/MqDQzH9N3OVpCg== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/5] chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars Date: Tue, 6 May 2025 16:10:09 +0200 Message-ID: <20250506141013.15292-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The existing version of the perl module Apache::Htpasswd was using the crypt hash for the password hashing, which is very insecure. The only alternative with this module is the md5 and sha1 hashes which are also considered weak now. - The module was last updated in Nov 2012 and there is no alternative module available. - This patch replaces that perl module with using the apache htpasswd program. This can be set to use the bcrypt hash which is considered secure. This is used for the generation of the root and admin passwords during the IPFire install. - Tested out on my vm testbed system and the password for a specific user name was changed successfully without any restriction to the length of the password. - Existing passwords with the existing md5 or crypt options will still work as htpasswd can manage different encoding hashes in the one file. Fixes: bug12755 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/chpasswd.cgi | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index 4930c4ca3..bda693193 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -20,8 +20,6 @@ ############################################################################### use CGI qw(param); -use Apache::Htpasswd; -use Crypt::PasswdMD5; $swroot = "/var/ipfire"; @@ -76,21 +74,19 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) goto ERROR; } - my $htpasswd = new Apache::Htpasswd("$userdb"); - - # Check if a user with this name exists - my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'}); - if (!$old_password) { - $errormessage = $tr{'advproxy errmsg invalid user'}; - goto ERROR; - } - - # Reset password - if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'}, - $cgiparams{'OLD_PASSWORD'})) { - $errormessage = $tr{'advproxy errmsg password incorrect'}; - goto ERROR; - } + # Check if a user with this name and password exists in the userdb file + # and if it does then change the password to the new one + my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); + my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); + if (!$user) { + $errormessage = $tr{'advproxy errmsg invalid user'}; + goto ERROR; + } elsif (!old_password) { + $errormessage = $tr{'advproxy errmsg password incorrect'}; + goto ERROR; + } else { + &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}"); + } $success = 1; undef %cgiparams;