1 (edited by domovoi 2016-10-09 22:21:09)

Topic: problem login iRedAdmin 0.6.1

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: FreeBSD
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache2.2
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
HI.
When I go to the admin panel. Fits any password. How to solve it?








Hey.
If you are logged in Ed Admin.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: problem login iRedAdmin 0.6.1

domovoi wrote:

Fits any password. How to solve it?

Excuse me, what do you mean "fits any password"? What issue are we talking about?

3 (edited by domovoi 2016-10-10 03:13:52)

Re: problem login iRedAdmin 0.6.1

I can use any character when entering password, and it is accepted.

4

Re: problem login iRedAdmin 0.6.1

Issue confirmed. This is a critical and urgent security issue of iRedAdmin (both open source edition and iRedAdmin-Pro) on FreeBSD and OpenBSD, please fix it with patch below. I will create a separate announcement topic and release a  version with this fix immediately. Thanks very much for the feedback.

Patch for iRedAdmin-0.6.1 (open source edition):

diff -r fd3c6ed95158 libs/iredutils.py
--- a/libs/iredutils.py    Wed Sep 21 15:00:15 2016 +0800
+++ b/libs/iredutils.py    Mon Oct 10 11:02:53 2016 +0800
@@ -326,7 +326,7 @@
             or challenge_password.startswith('{blf-crypt}'):
         challenge_password = challenge_password[11:]
 
-    return bcrypt.hashpw(plain_password, challenge_password)
+    return bcrypt.checkpw(plain_password, challenge_password)
 
 
 def generate_md5_password(p):

Patch for iRedAdmin-Pro:

diff -r 6b987e477467 libs/iredpwd.py
--- a/libs/iredpwd.py    Mon Oct 10 01:56:01 2016 +0800
+++ b/libs/iredpwd.py    Mon Oct 10 11:03:17 2016 +0800
@@ -138,7 +138,7 @@
             or challenge_password.startswith('{blf-crypt}'):
         challenge_password = challenge_password[11:]
 
-    return bcrypt.hashpw(plain_password, challenge_password)
+    return bcrypt.checkpw(plain_password, challenge_password)
 
 
 def generate_md5_password(p):

5

Re: problem login iRedAdmin 0.6.1

Announced this bug and fix below, also sent email to notify all iRedAdmin-Pro customers (who owns an active license):
http://www.iredmail.org/forum/topic1180 … enbsd.html

Thanks very much for the report. smile

6

Re: problem login iRedAdmin 0.6.1

Thx.

Problem solved.