diff --git a/admin_customers.php b/admin_customers.php index 5c12dcfd..e392f60d 100644 --- a/admin_customers.php +++ b/admin_customers.php @@ -820,7 +820,8 @@ if($page == 'customers' } inserttask('1'); - $result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', ENCRYPT('" . $db->escape($password) . "'), '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')"); + $cryptPassword = makeCryptPassword($db->escape($password),1); + $result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')"); $result = $db->query("INSERT INTO `" . TABLE_FTP_GROUPS . "` " . "(`customerid`, `groupname`, `gid`, `members`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($guid) . "', '" . $db->escape($loginname) . "')"); $result = $db->query("INSERT INTO `" . TABLE_FTP_QUOTATALLIES . "` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES ('" . $db->escape($loginname) . "', 'user', '0', '0', '0', '0', '0', '0')"); $log->logAction(ADM_ACTION, LOG_NOTICE, "automatically added ftp-account for user '" . $loginname . "'"); diff --git a/customer_email.php b/customer_email.php index 27b5f746..590605ce 100644 --- a/customer_email.php +++ b/customer_email.php @@ -438,6 +438,9 @@ elseif($page == 'accounts') { $password = substr(md5(uniqid(microtime(), 1)), 12, 6); } + + $cryptPassword = makeCryptPassword($db->escape($password),1); + $email_user=substr($email_full,0,strrpos($email_full,"@")); $email_domain=substr($email_full,strrpos($email_full,"@")+1); $maildirname=trim($settings['system']['vmail_maildirname']); @@ -452,7 +455,7 @@ elseif($page == 'accounts') "'" . $db->escape($email_full) . "', ". "'" . $db->escape($username) . "', " . ($settings['system']['mailpwcleartext'] == '1' ? "'" . $db->escape($password) . "', " : '') . - "ENCRYPT('" . $db->escape($password) . "'), ". + "'" . $db->escape($cryptPassword) . "', ". "'" . $db->escape($settings['system']['vmail_homedir']) . "', '" . $db->escape($userinfo['loginname'] . '/' . $email_domain . "/" . $email_user . "/" . $maildirpath) . "', ". "'" . (int)$settings['system']['vmail_uid'] . "', ". "'" . (int)$settings['system']['vmail_gid'] . "', ". @@ -461,6 +464,7 @@ elseif($page == 'accounts') "'" . (int)$quota . "', ". "'" . (int)$userinfo['imap'] . "', ". "'" . (int)$userinfo['pop3'] . "')"); + $popaccountid = $db->insert_id(); $result['destination'].= ' ' . $email_full; $db->query("UPDATE `" . TABLE_MAIL_VIRTUAL . "` SET ". @@ -584,7 +588,8 @@ elseif($page == 'accounts') $password = validatePassword($password); $log->logAction(USR_ACTION, LOG_NOTICE, "changed email password for '" . $result['email_full'] . "'"); - $result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'"); + $cryptPassword = makeCryptPassword($db->escape($password),1); + $result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'"); redirectTo($filename, Array('page' => 'emails', 'action' => 'edit', 'id' => $id, 's' => $s)); } else diff --git a/customer_ftp.php b/customer_ftp.php index 821c5b6c..b141b1cc 100644 --- a/customer_ftp.php +++ b/customer_ftp.php @@ -187,8 +187,9 @@ elseif($page == 'accounts') else { $path = makeCorrectDir($userinfo['documentroot'] . '/' . $path); - - $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', ENCRYPT('" . $db->escape($password) . "'), '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')"); + + $cryptPassword = makeCryptPassword($db->escape($password),1); + $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')"); $result = $db->query("SELECT `bytes_in_used` FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = '" . $userinfo['loginname'] . "'"); while($row = $db->fetch_array($result)) { @@ -311,11 +312,12 @@ elseif($page == 'accounts') else { $log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'"); - $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'"); + $cryptPassword = makeCryptPassword($db->escape($password),1); + $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'"); // also update customers backup user password if password of main ftp user is changed if(!preg_match('/' . $settings['customer']['ftpprefix'] . '/', $result['username'])){ - $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $result['username'] . "_backup'"); + $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $result['username'] . "_backup'"); } } } diff --git a/customer_index.php b/customer_index.php index f92121b9..81548b8d 100644 --- a/customer_index.php +++ b/customer_index.php @@ -124,7 +124,8 @@ elseif($page == 'change_password') if(isset($_POST['change_main_ftp']) && $_POST['change_main_ftp'] == 'true') { - $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`=ENCRYPT('" . $db->escape($new_password) . "') WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'"); + $cryptPassword = makeCryptPassword($db->escape($new_password),1); + $db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'"); $log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password'); } diff --git a/install/froxlor.sql b/install/froxlor.sql index 460d628d..990dc1c5 100644 --- a/install/froxlor.sql +++ b/install/froxlor.sql @@ -34,7 +34,7 @@ CREATE TABLE `ftp_users` ( `username` varchar(255) NOT NULL default '', `uid` int(5) NOT NULL default '0', `gid` int(5) NOT NULL default '0', - `password` varchar(20) NOT NULL default '', + `password` varchar(128) NOT NULL default '', `homedir` varchar(255) NOT NULL default '', `shell` varchar(255) NOT NULL default '/bin/false', `login_enabled` enum('N','Y') NOT NULL default 'N', diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php index 2b6dc620..f8e230aa 100644 --- a/install/updates/froxlor/0.9/update_0.9.inc.php +++ b/install/updates/froxlor/0.9/update_0.9.inc.php @@ -1910,7 +1910,10 @@ if(isFroxlorVersion('0.9.28-svn1')) { if(isFroxlorVersion('0.9.28-svn2')) { showUpdateStep("Updating from 0.9.28-svn2 to 0.9.28-svn3"); lastStepStatus(0); - + + // change lenght of passwd column + $db->query("ALTER TABLE `" . TABLE_FTP_USERS . "` MODIFY `password` varchar(128) NOT NULL default ''"); + // Add default setting for vmail_maildirname if not already in place $handle = $db->query("SELECT `value` FROM `panel_settings` WHERE `settinggroup` = 'system' AND `varname` = 'vmail_maildirname';"); if ($db->num_rows($handle) < 1) { diff --git a/lib/functions/system/function.makeCryptPassword.php b/lib/functions/system/function.makeCryptPassword.php new file mode 100644 index 00000000..16c4cfcd --- /dev/null +++ b/lib/functions/system/function.makeCryptPassword.php @@ -0,0 +1,58 @@ + + * @license GPLv2 http://files.froxlor.org/misc/COPYING.txt + * @package Functions + * + */ + +/** + * Make crypted password from clear text password + * @param string Password to be crypted + * @param int Type of algorithm + * @return string encrypted password + * + * @author Michal Wojcik + * + * 0 - default crypt (depenend on system configuration) + * 1 - MD5 $1$ + * 2 - BLOWFISH $2a$ + * 3 - SHA-256 $5$ + * 4 - SHA-512 $6$ + */ + +function makeCryptPassword ($password, $type = 0) +{ + switch($type) + { + case 0: + $cryptPassword = crypt($password); + break; + case 1: + $cryptPassword = crypt($password, '$1$' . generatePassword(). generatePassword()); + break; + case 2: + $cryptPassword = crypt($password, '$2a$' . generatePassword(). generatePassword()); + break; + case 3: + $cryptPassword = crypt($password, '$5$' . generatePassword(). generatePassword()); + break; + case 4: + $cryptPassword = crypt($password, '$6$' . generatePassword(). generatePassword()); + break; + default: + $cryptPassword = crypt($password); + break; + } + + return ($cryptPassword); +}