Storing raw passwords in mysql

**Proci** · Nov 13th 2016

Dear Developers,

I realized that i-MSCP stores raw (plain text) passwords in MySQL tables (ex. mail_user, sql_user).
This is very dangerous security risk. Why do not use encryption in 2016?
The old ispCP encrypted in SQL passwords in sql_user tables, so method is working. What's the problem?
Dovecot able to use sha256, sha512 encrypt too.
I can't understand...Why don't use encryption?

**Nuxwin** · Nov 13th 2016

Hello,

Many passwords are stored as plain (ftp, sql) to allow auto-login feature. We know that this is bad and this issue will be addressed in 1.4.x Serie.However, note that access to imscp table is restricted to root and Master i-MSCP user. If someone can access the imscp database, this mean that the sql root password and/or Master i-MSCP SQL user is compromissed.

**f4Nm1Z9k2P** · Nov 13th 2016

Quote from Proci

I can't understand...Why don't use encryption?

The thing you mean is called a key derivation function (KDF )and usually has nothing to do with encryption.

Quote from Nuxwin

If someone can access the imscp database, this mean that the sql root password and/or Master i-MSCP SQL user is compromissed.

The problem with plain text password is, that most people don't do one of the following things

Reuse passwords in different occasions
Change passwords regularly
Tell your customers that you have been hacked
Know when your server has been hacked
Keep important files where noone can access them

IMHO this issue should really be adressed in the not too distant future.

**Proci** · Nov 14th 2016

Quote from Nuxwin

Many passwords are stored as plain (ftp, sql) to allow auto-login feature.

Is it certainly necessary? OK, phpmyadmin autologin is useful, but I think i is not neccessarry for mail and ftp.
Phpmyadmin autlogin worked in old ispcp omega whithout plan passwords (maybe with KDF) . Why have you chosen another way?

Quote from f4Nm1Z9k2P

The thing you mean is called a key derivation function (KDF )and usually has nothing to do with encryption.

So-so. I think, KDF need to Phpmyadmin autologin, but mail passwords should be full encryption, ex. SHA256/SHA512. Dovecot works perfectly with SHA512,and Courier with classic crypt.

**Nuxwin** · Nov 14th 2016

Quote from Proci

Phpmyadmin autlogin worked in old ispcp omega whithout plan passwords (maybe with KDF)

I was one of the main developers of ispCP. In ispCP the SQL user passwords were encrypted using Blowfish algorithm in CBC mode. Thus, it was possible to decrypt the passwords at run-time for use in auto-login feature but the problem was that if the keys for decrypting the passwords were compromised, lost or regenerated (for any reasons), the passwords were to be updated.. In a shared hosting environment, that is not a viable solution. Asking all customers to update their passwords is something crazy.

Anyway, there is no need to debate here. The passwords will be all ~~encrypted~~ hashed in next i-MSCP Serie (auto-login will be removed or implemented using another method). We cannot do that in current serie because too much changes are involved in core.

Thank you for your understanding.

Note: Below, you can see a part of code that was used for auto-login feature (pma) in ispCP:

PHP

<?php
/**
* ispCP ω (OMEGA) a Virtual Hosting Control System
*
* The contents of this file are subject to the Mozilla Public License
* Version 1.1 (the "License"); you may not use this file except in
* compliance with the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS"
* basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
* License for the specific language governing rights and limitations
* under the License.
*
* The Original Code is "ispCP - ISP Control Panel".
*
* The Initial Developer of the Original Code is ispCP Team.
* Portions created by Initial Developer are Copyright (C) 2006-2010 by
* isp Control Panel. All Rights Reserved.
*
* @package ispCP
* @subpackage client_sql
* @copyright 2006-2010 by ispCP | http://isp-control.net
* @author Laurent Declercq <laurent.declercq@ispcp.net>
* @since 1.0.7
* @version SVN: $Id: pma_auth.php 3278 2010-09-11 19:15:57Z nuxwin $
* @replace client/sql_auth.php
* @link http://isp-control.net ispCP Home Site
* @license http://www.mozilla.org/MPL/ MPL 1.1
*/
/***
* Script short description:
*
* This script allows PhpMyAdmin authentication from ispCP
*/
/*******************************************************************************
* Functions
*/
/**
* Get database login credentials
*
* @author Laurent Declercq <laurent.declercq@ispcp.net>
* @since 1.0.7
* @access private
* @param int $dbUserId Database user unique identifier
* @return array Array that contains login credentials or FALSE on failure
*/
function _getLoginCredentials($dbUserId) {
/**
* @var $db ispCP_Database_ResultSet
*/
$db = ispCP_Registry::get('Db');
// @todo Should be optimized
$query = "
SELECT
`sqlu_name`, `sqlu_pass`
FROM
`sql_user`, `sql_database`, `domain`
WHERE
`sql_user`.`sqld_id` = `sql_database`.`sqld_id`
AND
`sql_user`.`sqlu_id` = ?
AND
`sql_database`.`domain_id` = `domain`.`domain_id`
AND
`domain`.`domain_admin_id` = ?
;
";
$stmt = exec_query($db, $query, array($dbUserId, $_SESSION['user_id']));
if($stmt->rowCount() == 1) {
return array(
$stmt->fields['sqlu_name'],
decrypt_db_password($stmt->fields['sqlu_pass'])
);
} else {
return false;
}
}
/**
* Creates all cookies for PhpMyAdmin
*
* @author Laurent Declercq <laurent.declercq@ispcp.net>
* @since 1.0.7
* @access private
* @param array $cookies Array that contains cookies definitions for PMA
* @return void
*/
function _pmaCreateCookies($cookies) {
foreach($cookies as $cookie) {
header("Set-Cookie: $cookie", false);
}
}
/**
* PhpMyAdmin authentication
*
* @author Laurent Declercq <laurent.declercq@ispcp.net>
* @since 1.0.7
* @param int $dbUserId Database user unique identifier
* @return bool TRUE on success, FALSE otherwise
*/
function pmaAuth($dbUserId) {
$credentials = _getLoginCredentials($dbUserId);
if($credentials) {
$data = http_build_query(
array(
'pma_username' => $credentials[0],
'pma_password' => stripcslashes($credentials[1])
)
);
} else {
set_page_message(tr('Error: Unknown SQL user id!'));
return false;
}
// Prepares PhpMyadmin absolute Uri to use
if(isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS'])) {
$port = ($_SERVER['SERVER_PORT'] != '443')
? ':' . $_SERVER['SERVER_PORT'] : '';
$pmaUri = "https://{$_SERVER['SERVER_NAME']}$port/pma/";
} else {
$port = ($_SERVER['SERVER_PORT'] != '80')
? ':' . $_SERVER['SERVER_PORT'] : '';
$pmaUri = "http://{$_SERVER['SERVER_NAME']}$port/pma/";
}
// Set stream context (http) options
stream_context_get_default(
array(
'http' => array(
'method' => 'POST',
'header' => "Host: {$_SERVER['SERVER_NAME']}$port\r\n" .
"Content-Type: application/x-www-form-urlencoded\r\n" .
'Content-Length: ' . strlen($data) . "\r\n" .
"Connection: close\r\n\r\n",
'content' => $data,
'user_agent' => 'Mozilla/5.0',
'max_redirects' => 1
)
)
);
// Gets the headers from PhpMyAdmin
$headers = get_headers($pmaUri, true);
if(!$headers || !isset($headers['Location'])) {
set_page_message(tr('Error: An error occurred while authentication!'));
return false;
} else {
_pmaCreateCookies($headers['Set-Cookie']);
header("Location: {$headers['Location']}");
}
return true;
}
/*******************************************************************************
* Main program
*/
// Include all needed libraries and process to the ispCP initialization
require '../include/ispcp-lib.php';
// Check login
check_login(__FILE__);
/**
* Dispatches the request
*/
if(isset($_GET['id'])) {
if(!pmaAuth((int) $_GET['id'])) {
user_goto('sql_manage.php');
}
} else {
user_goto('/index.php');
}

Display More

**f4Nm1Z9k2P** · Nov 14th 2016

Quote from Proci

So-so. I think, KDF need to Phpmyadmin autologin, but mail passwords should be full encryption, ex. SHA256/SHA512. Dovecot works perfectly with SHA512,and Courier with classic crypt.

All algorithms you mentioned are key derivation functions. Some are based on hash functions (SHA256, SHA512), crypt is based on DES. The thing they have in common is, that reversing is computationally expensive. Decryption is usually quite inexpensive, when you have the key.

Quote from Nuxwin

Anyway, there is no need to debate here. The passwords will be all encrypted in next i-MSCP Serie (auto-login will be removed or implemented using another method). We cannot do that in current serie because too much changes are involved in core.

Encrypted or hashed?

**Nuxwin** · Nov 14th 2016

@f4Nm1Z9k2P

Quote from f4Nm1Z9k2P

Encrypted or hashed?

Sorry for confusion, I meant hashed using sha512 or bcrypt. Generally speaking you cannot decrypt password hashes. In ispCP, passwords for SQL users were encrypted. But in i-MSCP serie 1.4.x, they will be hashed. Thus, I'll see how we can implement auto-login feature (if we can).

Does this answer fit your disagreement on language abuse?

**UncleSam** · Nov 15th 2016

Just one question:
If I move to another server, is i-mscp able to recreate all logins again after a database restore if everything is hashed/crypted?

**f4Nm1Z9k2P** · Nov 15th 2016

This is no problem, as the algorithm and salt are saved together with the hash inside the database.

Storing raw passwords in mysql

Share

Daily visitors