Security bug !!! Vulnerable password

[uollan]

Hello,

I've (casually) tryed to access to the directadmin panel using the correct password without 1,2 or 3 characters at the and... LOGIN SUCCESS !!!

Any idea?!?

 

[uollan]

END (not and)... sorry!

 

[ju5t]

We're not seeing this on our servers. Which version are you running and is this the case for each user on this server?

 

[zEitEr]

@uollan,

how long is your password?

 

[ditto]

I am not able to re-create this on my servers, and only able to log in using the exact and correct password. Removing one character at the end of the password, and we are not able to log in.

 

[nobaloney]

This isn't a DirectAdmin vulnerability; it's an OS issue. You haven't replied yet to your password length, and your OS has a limit on the number of characters it actuallly looks at in a password.

Jeff

 

[ISOS6]

It is not a bug. no matter how far your password you can log in with the first eight letters. That's because you have not enabled MD5.

Also check your /etc/login.defs file and scroll down to near the bottom.

Set:

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

remove the # in front of it, save/exit.

Save/Reset your password through DA again.

 

[uollan]

It works!

MD5_CRYPT_ENAB yes

is deprecated (on debian)

i've used only this setting

ENCRYPT_METHOD MD5

 

[urgido]

I have commented these two lines on Debian GNU/Linux 5.0
Is this a problem? All my password working good!