commit a461fd70445aec9dfa34bf9c5a29a85e0ad0e2fe
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Sat May 10 12:30:56 2025 +0200
chpasswd.cgi: Fixes bug12755 - v3 with password verification correction
- v3 version based on feedback from @Michael to use the status value returned from
using the htpasswd command.
- Also simplified the whole section to carry out the change if the status is 0, ie all
went well, otherwise give an error but without identifying if the error is in the
username or the password. This makes it more secure as any attacker only knows it
failed and doesn't know if any part of the authentication was correct or not.
- Changed the error messages in line with this so the language file changes are in the
other part of this patch set submission.
- Tested out on my vm test bed and worked fine. If the username was incorrect or the
password was incorrect or both were incorrect the same error message is given. If
both are correct then the update is carried out.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9c0dab3d3ca807e836823253aced80a14bc1970a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 7 09:06:12 2025 +0000
chpasswd.cgi: Add missing $
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4c39e38f90fea60ef62e07267fd84f1b89de0297
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:11 2025 +0200
chpasswd.cgi: Make swroot refs the same as for other cgi files
- This uses the swroot definition from general-functions.pl and makes the definition
the same as used in the majority of other IPFire cgi files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6c1549ff7a9c8e3f9f17a29a6b169fce175fea42
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:09 2025 +0200
chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars
- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
the password hashing, which is very insecure. The only alternative with this module
is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
be set to use the bcrypt hash which is considered secure. This is used for the
generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
can manage different encoding hashes in the one file.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Handcrafted requests with shell commands could be sent to these
CGI files and gain shell access as unprivileged user.
References: #11087
Reported-by: Yann Cam <yann.cam@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
