From patchwork Sat May 10 10:30:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8715 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Zvhwv619qz3xDv for ; Sat, 10 May 2025 10:31:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Zvhws2Zw1z6Sk for ; Sat, 10 May 2025 10:31:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zvhws1sZFz32MJ for ; Sat, 10 May 2025 10:31:09 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zvhwp2H5Sz332Z for ; Sat, 10 May 2025 10:31:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zvhwn2RLPz32l; Sat, 10 May 2025 10:31:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1746873065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5GpyIeM2FcIroQI9ggSv6oGcQtOP+Y8e+aqO9zNqqsw=; b=pOwfhGUwdiTPWgFuvNoFP/NQiKJvKW33ckKvl0rPmA+PjpZe3JYYE+EyHMcqmKiHjVNO14 rAcLYpYDGBLkArT6uOwyP+GJ8qaydmWhc3Eg7PWPZ+Wt+d1t7Vj2PhFp7Pdj9Tdxl1QaBD GHZGjy2tGBkNy9dGsEQhkjuttekFf6TIfwbqWBZROTiLrRJ2z3VSrOWZmnchOzaVudQyJc 6sD3+E+LN5wyfKWg8pnY65Hk90CqU3A0QBuDZF3iKQ3xfpfPSxdCv+j7Z1H5EFph68x1sr xcHJUanqqGkS1HBqy52LfrL0zz87UVEQEWdZ73Q2c2fw25GjywlN4pfBCgP10g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1746873065; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5GpyIeM2FcIroQI9ggSv6oGcQtOP+Y8e+aqO9zNqqsw=; b=sMzApGpE1J+4f/kFyDyk/XkTqevwnAOSV6p2Jv0H94x00UTDRUvSXP80EU43ozSvpsyWk8 9ztXkYhYzhDySyBQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH v3 1/2] chpasswd.cgi: Fixes bug12755 - v3 with password verification correction Date: Sat, 10 May 2025 12:30:56 +0200 Message-ID: <20250510103101.9179-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - v3 version based on feedback from @Michael to use the status value returned from using the htpasswd command. - Also simplified the whole section to carry out the change if the status is 0, ie all went well, otherwise give an error but without identifying if the error is in the username or the password. This makes it more secure as any attacker only knows it failed and doesn't know if any part of the authentication was correct or not. - Changed the error messages in line with this so the language file changes are in the other part of this patch set submission. - Tested out on my vm test bed and worked fine. If the username was incorrect or the password was incorrect or both were incorrect the same error message is given. If both are correct then the update is carried out. Fixes: bug12755 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/chpasswd.cgi | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index c00caca20..0a1a5c9e3 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -74,19 +74,14 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) goto ERROR; } - # Check if a user with this name and password exists in the userdb file - # and if it does then change the password to the new one - my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); - if (!$user) { - $errormessage = $tr{'advproxy errmsg invalid user'}; - goto ERROR; - } elsif (!$old_password) { - $errormessage = $tr{'advproxy errmsg password incorrect'}; - goto ERROR; - } else { - &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}"); - } + # If the htpasswd verification status is 0 then update the database + # otherwise respond with an error message. + if (&General::system("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}") != 0) { + $errormessage = $tr{'advproxy errmsg invalid user/password'}; + goto ERROR; + } else { + &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}"); + } $success = 1; undef %cgiparams;