Threaded Mode | Linear Mode

BlueAngel · 07-02-2008 01:27 AM

Hi,

I've searched trough the forums and bug track but found nothing.

When you create an ftp account if the user enters a password like

password2008

then you can login in the account using either
password
or
password<any combination of numbers>

Hi've made some more tests and it seems that as long as the first 8 chars are correct, then the user is free to login.

This shouldn't happen.

regards
Hugo

**kilburn** · 07-02-2008 03:09 AM

Lastest trunk is working OK for me.

Can you post your proftpd's config, the "ftp_users" table structure and an example record please? (You can get this using phpmyadmin if you're not used to mysql console client)

sci2tech · 07-02-2008 03:29 AM

I can confirm this. If a password exceed 8 characters first 8 are enough to enter acount (does not matter if the rest are numbers or not). Using r1253 with debian lenny and ProFTPD version is 1.3.1
If this felp you

Code:

CREATE TABLE IF NOT EXISTS `ftp_users` (

  `userid` varchar(255) collate utf8_unicode_ci default NULL,

  `passwd` varchar(255) collate utf8_unicode_ci default NULL,

  `uid` int(10) unsigned NOT NULL default '0',

  `gid` int(10) unsigned NOT NULL default '0',

  `shell` varchar(255) collate utf8_unicode_ci default NULL,

  `homedir` varchar(255) collate utf8_unicode_ci default NULL,

  UNIQUE KEY `userid` (`userid`)

) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

INSERT INTO `ftp_users` (`userid`, `passwd`, `uid`, `gid`, `shell`, `homedir`) VALUES

('sci2tech@cms.eu.bogus', 'yiNInGckw3Pog', 2005, 2005, '/bin/bash', '/var/www/virtual/cms.eu.bogus');

Password is *Abracadabra but you can login with *Abracad
/etc/proftpd/proftpd.conf:

Quote:Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off

ServerName "eu.bogus"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

AllowOverwrite on
UseReverseDNS off
IdentLookups off
AllowStoreRestart on
AllowForeignAddress on

LogFormat traff "%b %u"

TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayChdir message

ListOptions "-l"
#LsDefaultOptions "-l"

DenyFilter \*.*/

DefaultRoot ~

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off

# Port 21 is the standard FTP port.
Port 21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
#PassivePorts 49152 65534

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
HideNoAccess on
</Directory>

# But not to overwrite ispCP Standard directories.
<Directory ~/>
PathDenyFilter "^/(backups|cgi-bin|htdocs|errors|logs|phptmp|statistics)/?$"
</Directory>

<Limit ALL>
IgnoreHidden on
</Limit>

# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off

<Global>
RootLogin off
TransferLog /var/log/proftpd/xferlog
ExtendedLog /var/log/proftpd/ftp_traff.log read,write traff
PathDenyFilter "\.quota$"
</Global>

#
# SSL via TLS
#
#<IfModule mod_tls.c>
# TLSEngine off # on for use of TLS
# TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
# TLSProtocol SSLv23 # SSLv23 or TLSv1
# TLSOptions NoCertRequest # either to request the certificate or not
# TLSRSACertificateFile /etc/proftpd/ssl.crt # SSL certfile
# TLSRSACertificateKeyFile /etc/proftpd/ssl.key # SSL keyfile
# TLSVerifyClient off # client verification
#</IfModule>

#
# ISPCP Quota management;
#
<IfModule mod_quota.c>
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM quotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" quotatallies

QuotaLock /var/run/proftpd/tally.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
</IfModule>

<IfModule mod_ratio.c>
Ratios on
</IfModule>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=de...2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>

# ispCP SQL Managment
SQLBackend mysql
SQLAuthTypes Crypt
SQLAuthenticate on
SQLConnectInfo ispcp@localhost vftp X?Wd][5$tj%VO-iDm&
SQLUserInfo ftp_users userid passwd uid gid homedir shell
SQLGroupInfo ftp_group groupname gid members
SQLMinID 2000

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

sci2tech · 07-02-2008 04:23 AM

Problem solved see and test http://www.isp-control.net/ispcp/ticket/1372 (works for me). (read also http://www.php.net/manual/en/function.crypt.php#53848)

**kilburn** · 07-02-2008 04:31 AM

Fixed in r1255.

Thanks sci2tech!

sci2tech · 07-02-2008 04:32 AM

Thanks for fast release Smile

that bug really hurts Smile

sci2tech · 07-02-2008 06:06 AM

I`d like to propose a better solution for function generate_rand_salt

Code:

function generate_rand_salt($min = 46, $max = 126) {

    if (CRYPT_BLOWFISH == 1) {

        $length=13;

        $pre='$2$';

    } elseif (CRYPT_MD5 == 1) {

        $length=9;

        $pre='$1$';

    } elseif (CRYPT_EXT_DES == 1) {

        $length=9;

        $pre='';

    } elseif (CRYPT_STD_DES == 1) {

        $length=2;

        $pre='';

    }

    $salt=$pre;

    for($i=0;$i<$length;$i++)

        $salt .= chr(mt_rand($min, $max));

    return $salt;

}

Also restore function to crypt_user_ftp_pass

Code:

function crypt_user_ftp_pass($data) {

    $res = crypt($data, generate_rand_salt());

    return $res;

}

***RatS*** · 07-02-2008 09:34 AM

That's what I've changed first ... 2 persons, 1 thought ...

**kilburn** · 07-02-2008 04:56 PM

I hate democracy... Tongue

Threaded Mode \| Linear Mode ending numbers ignored on ftp password
Author	Message