Hi,
There is a problem with Password plugin's password encryption in Debian Squeeze. Because of a known bug in Debian's PHP (CRYPT_SALT_LENGTH is not set*), the password is currently being encrypted with an empty salt in SQL driver (but I think this might apply to the LDAP driver too, because it too uses crypt()).
The simple fix is to replace this block of code in drivers/sql.php (https://svn.roundcube.net/trunk/plugins/password/drivers/sql.php):
$salt = '';
if (CRYPT_MD5) {
$len = rand(3, CRYPT_SALT_LENGTH);
} else if (CRYPT_STD_DES) {
$len = 2;
} else {
return PASSWORD_CRYPT_ERROR;
}
for ($i = 0; $i < $len ; $i++) {
$salt .= chr(rand(ord('.'), ord('z')));
}
$sql = str_replace('%c', $db->quote(crypt($passwd, CRYPT_MD5 ?
'$1$'.$salt.'$' : $salt)), $sql);
with a single line:
$sql = str_replace('%c', $db->quote(crypt($passwd)), $sql);
When called without the second parameter, crypt() will automatically generate the salt itself. Which makes me wonder: why does the plugin try to generate this random salt instead of simply relying on PHP to do that? As far as I know, crypt($text, $salt) is useful when you actually want to check whether the password is correct, but there's absolutely no need to use your own random salt when setting user's password – PHP will take care.
May I suggest to apply this change in SVN? I really don't see why the plugin should use 12 lines of code to achieve what can be achieved in one line.
Regards, Rimas
List info: http://lists.roundcube.net/dev/ BT/aba52c80
-
Rimas Kudelis