Warning about using MySQL's ENCRYPT() function

[kionez]

Hi,

 

I'm modifying a customer FTP password, and I noticed a security issue.

 

Using MySQL ENCRYPT() there's no difference between password hashes if the password is longer than 8 charachters, as reported into MySQL manual :

 

ENCRYPT() ignores all but the first eight characters of str, at least on some systems. This behavior is determined by the implementation of the underlying crypt() system call.

 

So, in a pratical example the results are these:

 

mysql> select encrypt("P4ssw0rd"), encrypt("P4ssw0rd."), encrypt("P4ssw0rd.1"), encrypt("P4ssw0rd.11"), encrypt("P4ssw0rd.111"), encrypt("P4ssw0rdWHATEVER");
+---------------------+----------------------+-----------------------+------------------------+-------------------------+-----------------------------+
| encrypt("P4ssw0rd") | encrypt("P4ssw0rd.") | encrypt("P4ssw0rd.1") | encrypt("P4ssw0rd.11") | encrypt("P4ssw0rd.111") | encrypt("P4ssw0rdWHATEVER") |
+---------------------+----------------------+-----------------------+------------------------+-------------------------+-----------------------------+
| nT5aR7GZKL00E       | nT5aR7GZKL00E        | nT5aR7GZKL00E         | nT5aR7GZKL00E          | nT5aR7GZKL00E           | nT5aR7GZKL00E               |
+---------------------+----------------------+-----------------------+------------------------+-------------------------+-----------------------------+
1 row in set (0.00 sec)

 

 

Actually I'm using the old SysCP panel, because I have to migrate about 130 customers and currently I have no time to update to Froxlor, but watching the SysCP's bugtracker I noticed that every development activity is frozen. So I report that issue into this forum, hoping that the developers take care about Froxlor secuirity.

 

(I'm patching my system to use MD5 password hashes, if there's something usable I'll post it there.)

 

k.

 

EDIT: fix a typo

[d00p]

A patch is welcome at any time

[kionez]

A patch is welcome at any time

 

Hi,

 

it's not a patch, but it's the workflow I followed.

Surely there is a better way to implement it, but at the moment I have no time to research.

 

I change only the code that affetcts FTP users, using ProFTPd as server.

(Many ideas are taken from: ProFTPd manual)

 

* modify the table schema of "ftp_users", in order to store a md5 hash (32 chars)

 

ALTER TABLE `ftp_users` CHANGE `password` `password` varchar(32) COLLATE 'latin1_swedish_ci' NOT NULL DEFAULT '' AFTER `gid`, COMMENT=''

 

* modify the config file of proftpd, commenting out the old method and enabling the new one:

#SQLAuthTypes Crypt
SQLAuthTypes OpenSSL 

 

* then modify files admin_customers.php, customer_ftp.php and customer_index.php, inserting

# Fix for password encryption
$password_enc = "{md5}".base64_encode(pack("H*", md5($password)));

before any query using the variable $password and replacing every occurence of

 ENCRYPT('" . $db->escape($new_password) ."') 

with:

 $db->escape($password_enc) 

 

I've just tested it and seems working fine, obiuvsly more testing is needed.. Maybe i'll release a patch in the next days.. but now I'm too busy

 

Another solution, that not implies the change in proftpd configuration, should be:

 

* modify the table schema of "ftp_users", in order to store a crypt() hash (35 chars)

 

* then modify files admin_customers.php, customer_ftp.php and customer_index.php, replacing every occurence of

 ENCRYPT('" . $db->escape($new_password) ."') 

with something like:

 $db->escape(crypt($password)) 

maybe with a custom salt, or something like that..

 

k.

[kionez]

I forgot to mention that i found other occurences of "ENCRYPT" in customer_email.php, i don't use SysCP\Froxlor panels to handle mail accounts, so I don't investigate anymore.. but the security warning is valid also for this file.. everywhere you used MySQL's encrypt() you have this problem.

 

k.