From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH v3 1/2] chpasswd.cgi: Fixes bug12755 - v3 with password verification correction
Date: Sat, 10 May 2025 12:30:56 +0200 [thread overview]
Message-ID: <20250510103101.9179-1-adolf.belka@ipfire.org> (raw)
- v3 version based on feedback from @Michael to use the status value returned from
using the htpasswd command.
- Also simplified the whole section to carry out the change if the status is 0, ie all
went well, otherwise give an error but without identifying if the error is in the
username or the password. This makes it more secure as any attacker only knows it
failed and doesn't know if any part of the authentication was correct or not.
- Changed the error messages in line with this so the language file changes are in the
other part of this patch set submission.
- Tested out on my vm test bed and worked fine. If the username was incorrect or the
password was incorrect or both were incorrect the same error message is given. If
both are correct then the update is carried out.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/chpasswd.cgi | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index c00caca20..0a1a5c9e3 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -74,19 +74,14 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
goto ERROR;
}
- # Check if a user with this name and password exists in the userdb file
- # and if it does then change the password to the new one
- my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb");
- my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
- if (!$user) {
- $errormessage = $tr{'advproxy errmsg invalid user'};
- goto ERROR;
- } elsif (!$old_password) {
- $errormessage = $tr{'advproxy errmsg password incorrect'};
- goto ERROR;
- } else {
- &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}");
- }
+ # If the htpasswd verification status is 0 then update the database
+ # otherwise respond with an error message.
+ if (&General::system("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}") != 0) {
+ $errormessage = $tr{'advproxy errmsg invalid user/password'};
+ goto ERROR;
+ } else {
+ &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'NEW_PASSWORD_1'}");
+ }
$success = 1;
undef %cgiparams;
--
2.49.0
next reply other threads:[~2025-05-10 10:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-10 10:30 Adolf Belka [this message]
2025-05-10 10:30 ` [PATCH v3 2/2] langs: Update of language files in line with bug12755 fix Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250510103101.9179-1-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox