[PATCH 1/5] chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars

[PATCH 1/5] chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars

[Adolf Belka]

- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
   the password hashing, which is very insecure. The only alternative with this module
   is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
   be set to use the bcrypt hash which is considered secure. This is used for the
   generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
   changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
   can manage different encoding hashes in the one file.

Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/chpasswd.cgi | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index 4930c4ca3..bda693193 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -20,8 +20,6 @@
 ###############################################################################
 
 use CGI qw(param);
-use Apache::Htpasswd;
-use Crypt::PasswdMD5;
 
 $swroot = "/var/ipfire";
 
@@ -76,21 +74,19 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
 		goto ERROR;
 	}
 
-	my $htpasswd = new Apache::Htpasswd("$userdb");
-
-	# Check if a user with this name exists
-	my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'});
-	if (!$old_password) {
-		$errormessage = $tr{'advproxy errmsg invalid user'};
-		goto ERROR;
-	}
-
-	# Reset password
-	if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'},
-			$cgiparams{'OLD_PASSWORD'})) {
-		$errormessage = $tr{'advproxy errmsg password incorrect'};
-		goto ERROR;
-	}
+       # Check if a user with this name and password exists in the userdb file
+       # and if it does then change the password to the new one
+       my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb");
+       my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
+       if (!$user) {
+               $errormessage = $tr{'advproxy errmsg invalid user'};
+               goto ERROR;
+       } elsif (!old_password) {
+                $errormessage = $tr{'advproxy errmsg password incorrect'};
+                goto ERROR;
+       } else {
+               &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}");
+       }
 
 	$success = 1;
 	undef %cgiparams;
-- 
2.49.0

[PATCH 2/5] proxy.cgi: Fixes bug12755 - proxy auth problem with password longer than 8 chars

[Adolf Belka]

- This makes the proxy local password management the same between chpasswd.cgi and
   proxy.cgi
- Tested out on my vm testbed and was able to create and modify users and their passwords
   in the proxy.cgi page or modify a password for a specified user on the chpasswd.cgi
   page. This all happened successfully and was confirmed by testing out the local
   authentication.

Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index c8e3576df..bdce2fa66 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -20,7 +20,6 @@
 ###############################################################################
 
 use strict;
-use Apache::Htpasswd;
 use Scalar::Util qw(looks_like_number);
 
 # enable only the following on debugging purpose
@@ -4050,15 +4049,7 @@ sub adduser
 		close(FILE);
 	} else {
 		&deluser($str_user);
-
-		my %htpasswd_options = (
-			passwdFile => "$userdb",
-			UseMD5 => 1,
-		);
-
-		my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
-
-		$htpasswd->htpasswd($str_user, $str_pass);
+		&General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$str_user", "$str_pass");
 	}
 
 	if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");
-- 
2.49.0

[PATCH 3/5] chpasswd.cgi: Make swroot refs the same as for other cgi files

[Adolf Belka]

- This uses the swroot definition from general-functions.pl and makes the definition
   the same as used in the majority of other IPFire cgi files.

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/chpasswd.cgi | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index bda693193..6e9dd9e1c 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -21,7 +21,7 @@
 
 use CGI qw(param);
 
-$swroot = "/var/ipfire";
+require '/var/ipfire/general-functions.pl';
 
 my %cgiparams;
 my %mainsettings;
@@ -30,8 +30,8 @@ my %proxysettings;
 $proxysettings{'NCSA_MIN_PASS_LEN'} = 6;
 
 ### Initialize environment
-&readhash("${swroot}/main/settings", \%mainsettings);
-&readhash("${swroot}/proxy/advanced/settings", \%proxysettings);
+&readhash("${General::swroot}/main/settings", \%mainsettings);
+&readhash("${General::swroot}/proxy/advanced/settings", \%proxysettings);
 $language = $mainsettings{'LANGUAGE'};
 
 ### Initialize language
@@ -40,12 +40,12 @@ if ($language =~ /^(\w+)$/) {$language = $1;}
  # Uncomment this to force a certain language:
  # $language='en';
  #
-require "${swroot}/langs/en.pl";
-require "${swroot}/langs/${language}.pl";
+require "${General::swroot}/langs/en.pl";
+require "${General::swroot}/langs/${language}.pl";
 
-my $userdb = "$swroot/proxy/advanced/ncsa/passwd";
+my $userdb = "$General::swroot/proxy/advanced/ncsa/passwd";
 
-&readhash("$swroot/ethernet/settings", \%netsettings);
+&readhash("$General::swroot/ethernet/settings", \%netsettings);
 
 my $success = 0;
 
-- 
2.49.0

[PATCH 4/5] perl-Apache_Htpasswd: remove module from IPFire

[Adolf Belka]

- This module was only used for the proxy.cgi and chpasswd.cgi files for the local
   authentication option.
- As this module was last updated in Nov 2012 its use has been replaced by direct use
   of htpasswd. This is dealt with by other patches in this set.
- With those changes this module is no longer required.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/perl-Apache-Htpasswd |  6 --
 lfs/perl-Apache-Htpasswd                     | 77 --------------------
 make.sh                                      |  1 -
 3 files changed, 84 deletions(-)
 delete mode 100644 config/rootfiles/common/perl-Apache-Htpasswd
 delete mode 100644 lfs/perl-Apache-Htpasswd

diff --git a/config/rootfiles/common/perl-Apache-Htpasswd b/config/rootfiles/common/perl-Apache-Htpasswd
deleted file mode 100644
index bd19e73a9..000000000
--- a/config/rootfiles/common/perl-Apache-Htpasswd
+++ /dev/null
@@ -1,6 +0,0 @@
-#usr/lib/perl5/site_perl/5.36.0/Apache
-usr/lib/perl5/site_perl/5.36.0/Apache/Htpasswd.pm
-#usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/auto/Apache
-#usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/auto/Apache/Htpasswd
-#usr/lib/perl5/site_perl/5.36.0/xxxMACHINExxx-linux-thread-multi/auto/Apache/Htpasswd/.packlist
-#usr/share/man/man3/Apache::Htpasswd.3
diff --git a/lfs/perl-Apache-Htpasswd b/lfs/perl-Apache-Htpasswd
deleted file mode 100644
index 14421fba2..000000000
--- a/lfs/perl-Apache-Htpasswd
+++ /dev/null
@@ -1,77 +0,0 @@
-###############################################################################
-#                                                                             #
-# IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or           #
-# (at your option) any later version.                                         #
-#                                                                             #
-# This program is distributed in the hope that it will be useful,             #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
-# GNU General Public License for more details.                                #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
-#                                                                             #
-###############################################################################
-
-###############################################################################
-# Definitions
-###############################################################################
-
-include Config
-
-VER        = 1.9
-
-THISAPP    = Apache-Htpasswd-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
-DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/$(THISAPP)
-TARGET     = $(DIR_INFO)/$(THISAPP)
-
-###############################################################################
-# Top-level Rules
-###############################################################################
-
-objects = $(DL_FILE)
-
-$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-
-$(DL_FILE)_BLAKE2 = abf3bd699f0db8c818f3b590d040bece213078127836f29984b4d7c9db26cbdac9c7f4572b17f526f60ad48ee7d3680d2b1d426bcc3b0b4646d42a9461cddd4d
-
-install : $(TARGET)
-
-check : $(patsubst %,$(DIR_CHK)/%,$(objects))
-
-download :$(patsubst %,$(DIR_DL)/%,$(objects))
-
-b2 : $(subst %,%_BLAKE2,$(objects))
-
-###############################################################################
-# Downloading, checking, b2sum
-###############################################################################
-
-$(patsubst %,$(DIR_CHK)/%,$(objects)) :
-	@$(CHECK)
-
-$(patsubst %,$(DIR_DL)/%,$(objects)) :
-	@$(LOAD)
-
-$(subst %,%_BLAKE2,$(objects)) :
-	@$(B2SUM)
-
-###############################################################################
-# Installation Details
-###############################################################################
-
-$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
-	@$(PREBUILD)
-	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && perl Makefile.PL
-	cd $(DIR_APP) && make $(MAKETUNING)
-	cd $(DIR_APP) && make install
-	@rm -rf $(DIR_APP)
-	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index ab3867a8f..61921fee6 100755
--- a/make.sh
+++ b/make.sh
@@ -1713,7 +1713,6 @@ build_system() {
 	lfsmake2 perl-GD-TextUtil
 	lfsmake2 perl-Device-SerialPort
 	lfsmake2 perl-Device-Modem
-	lfsmake2 perl-Apache-Htpasswd
 	lfsmake2 perl-Parse-Yapp
 	lfsmake2 perl-Data-UUID
 	lfsmake2 perl-Try-Tiny
-- 
2.49.0

[PATCH 5/5] core195: Ship chpasswd.cgi and proxy.cgi files

[Adolf Belka]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/195/filelists/files | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/rootfiles/core/195/filelists/files b/config/rootfiles/core/195/filelists/files
index a4b1b0eeb..61e6d4c7e 100644
--- a/config/rootfiles/core/195/filelists/files
+++ b/config/rootfiles/core/195/filelists/files
@@ -13,6 +13,8 @@ srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/services.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/cgi-bin/wireguard.cgi
+srv/web/ipfire/cgi-bin/chpasswd.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/html/themes/ipfire/include/css/style.css
 usr/lib/firewall/firewall-lib.pl
 usr/local/bin/wireguardctrl
-- 
2.49.0