Hi Gordon, Hi List,

no Problem. Glad I could help and you were able to reproduce it. I guess it happens if you install apache2 and php5 with the default meta packages or something like that.

My biggest issue with vexim/exim4u is the clear text password. It's 2015 now and cleartext passwords is a evil thing to have in ANY database. I didn't had time to deeply look into the code and produce a patch to remove it yet. Every modern mail client should be able to handle starttls and ssl tunnels so plain , crypt and other legacy authentications can be called obsolete and should be removed sooner than later, IMHO.

Maybe someone could spend a few hours to complety remove it? It would be a huge security improvement.

Kind regards�

Michael Seidel�

Sysadmin

http://www.fai.ag

Send via Mobile Phone

-------- Urspr�ngliche Nachricht --------
Von: Gordon Dickens <gecko@exim4u.org>
Datum: 09.03.2015 14:52 (GMT+01:00)
An: Exim4U General Discussion <users@exim4u.org>
Betreff: Re: [Exim4U] Web Portal Login w/ MD5

On 03/07/2015 02:46 PM, Torry Crass wrote:

THE PROBLEM

However, I've come up with a problem. Any time an account is created with the MD5 hash, e-mail and logging into e-mail directly works fine, but logging into the exim4u web portal does not so people are not able to manage their accounts via the web interface. It simply returns a login failed message.

Hi Torry,

Sorry about your problem and that I have not replied sooner, however, I've been away with limited access to my email since last Wednesday.� Also, a big thanks to Rimas Kudelis and Michael Seidel for their posts.

Then, on 03/08/2015 04:59 AM, Seidel, Michael wrote:

Hi Torry, please have a look at my old post on this list from August 2014:

http://exim4u.org/pipermail/users/2014-August/000226.html

Hi Michael,

Looks like you may have identified the problem and a potential solution.� I should have been more proactive back in August, when you first posted your problem/solution, however, I had not yet seen the issue myself in my installations which include two Debian Wheezy installs.� Nevertheless, I am now able to reproduce the problem on my Wheezy installs. On the other hand, the problem does not appear in my Debian Squeeze, CentOS and FreeBSD installs.� As an aside, this suhosin patch issue was not introduced into Wheezy until sometime in mid 2014 since I know for certain that everything worked fine until then on Wheezy.


Then, on 03/08/2015 02:15 PM, Torry Crass wrote:

Michael, Your post is spot on to what the problem I'm running into is related to. Even in the newer source off of github that I was looking at it isn't resolved (and several other things are currently broken in that version, like no submit button on editing an existing account). -- though the old one does use MD5 passwords successfully.

I've modified the function as you suggested but login is still not functioning properly, tossing a login failure to any SHA512 accounts.

I'm still working on it but thought I would send a message thanking you for that guidance.

Torry, please let us know your findings.� I will spend some time on this myself, however, it will probably be later in the week.

Also, I am curious about what wasn't working in the github version.� I've got a FreeBSD installation running the current github version and I am not seeing the missing submit button that you reported and I am unaware of any other current issues.� However, I am in the middle of porting alot of the recent Vexim mods and, while I have done some situational testing,� I have not yet thoroughly tested all of the recent mods.� So, please report any bugs that you find and I will work to address them.

Thanks,

Gordon

_______________________________________________
users mailing list
users@exim4u.org
https://exim4u.org/mailman/listinfo/users