Security bug !!! Vulnerable password

uollan

Verified User
Joined
Dec 22, 2008
Messages
44
Hello,

I've (casually) tryed to access to the directadmin panel using the correct password without 1,2 or 3 characters at the and... LOGIN SUCCESS !!!

Any idea?!?
 
We're not seeing this on our servers. Which version are you running and is this the case for each user on this server?
 
I am not able to re-create this on my servers, and only able to log in using the exact and correct password. Removing one character at the end of the password, and we are not able to log in.
 
This isn't a DirectAdmin vulnerability; it's an OS issue. You haven't replied yet to your password length, and your OS has a limit on the number of characters it actuallly looks at in a password.

Jeff
 
It is not a bug. no matter how far your password you can log in with the first eight letters. That's because you have not enabled MD5.

Also check your /etc/login.defs file and scroll down to near the bottom.

Set:

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

remove the # in front of it, save/exit.

Save/Reset your password through DA again.
 
I have commented these two lines on Debian GNU/Linux 5.0
Is this a problem? All my password working good!
 
Last edited:
Back
Top