Change Password Improvements

plugins/ispconfig-change-password/IspConfigChangePasswordDriver.php

@@ -70,7 +70,7 @@ public function SetLogger($oLogger)
 	}
 
 	/**
-	 * @param \RainLoop\Model\Account $oAccount
+	 * @param \RainLoop\Account $oAccount
 	 *
 	 * @return bool
 	 */
@@ -81,38 +81,81 @@ public function PasswordChangePossibility($oAccount)
 	}
 
 	/**
-	 * @param \RainLoop\Model\Account $oAccount
+	 * @param \RainLoop\Account $oAccount
 	 * @param string $sPrevPassword
 	 * @param string $sNewPassword
 	 *
 	 * @return bool
 	 */
 	public function ChangePassword(\RainLoop\Account $oAccount, $sPrevPassword, $sNewPassword)
 	{
+
+
 		if ($this->oLogger)
 		{
 			$this->oLogger->Write('ISP: Try to change password for '.$oAccount->Email());
+
+
 		}
 
 		$bResult = false;
 		if (!empty($this->sDsn) && 0 < \strlen($this->sUser) && 0 < \strlen($this->sPassword) && $oAccount)
 		{
+
+
+
 			try
 			{
+
+
 				$oPdo = new \PDO($this->sDsn, $this->sUser, $this->sPassword);
 				$oPdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
 
 				$oStmt = $oPdo->prepare('SELECT password, mailuser_id FROM mail_user WHERE login = ? LIMIT 1');
 				if ($oStmt->execute(array($oAccount->IncLogin())))
 				{
+
+
 					$aFetchResult = $oStmt->fetchAll(\PDO::FETCH_ASSOC);
 					if (\is_array($aFetchResult) && isset($aFetchResult[0]['password'], $aFetchResult[0]['mailuser_id']))
 					{
-						$sDbPassword = \stripslashes($aFetchResult[0]['password']);
-						$sDbSalt = '$1$'.\substr($sDbPassword, 3, 8).'$';
+
+					$sDbPassword = \stripslashes($aFetchResult[0]['password']);
+
+
+					//////////////////////////////////
+					//////////////////////////////////
+
+					$arr2 = substr($sDbPassword, 0, 3);
+
+					if ($arr2 == "$1$") {
+					$sDbSalt = '$1$'.\substr($sDbPassword, 3, 8).'$';
+					}
+
+					if ($arr2 == "$6$") {
+
+					$arr1 = explode("$",$sDbPassword);
+					$arr3 = substr($sDbPassword, 3, 6);
+
+						if ($arr3 == "rounds") {
+						$sDbSalt = '$6$'.$arr1[2].'$'.$arr1[3].'$';
+						}
+						else { 
+						$sDbSalt = '$6$'.$arr1[2].'$';
+						}
+
+					}
+
+					echo "$sNewPassword - $sDbPassword - $arr2 - $sDbSalt - $arr1[2]";
+
+					//////////////////////////////////
+					//////////////////////////////////
+
 
 						if (\crypt(\stripslashes($sPrevPassword), $sDbSalt) === $sDbPassword)
 						{
+
+
 							$oStmt = $oPdo->prepare('UPDATE mail_user SET password = ? WHERE mailuser_id = ?');
 							$bResult = (bool) $oStmt->execute(
 								array($this->cryptPassword($sNewPassword), $aFetchResult[0]['mailuser_id']));
@@ -141,11 +184,11 @@ private function cryptPassword($sPassword)
 		$sSalt = '';
 		$sBase64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
 
-		for ($iIndex = 0; $iIndex < 8; $iIndex++)
+		for ($iIndex = 0; $iIndex < 16; $iIndex++) // 8 changed to 16
 		{
 			$sSalt .= $sBase64[\rand(0, 63)];
 		}
 
-		return \crypt($sPassword, '$1$'.$sSalt.'$');
+		return \crypt($sPassword, '$6$rounds=5000$'.$sSalt.'$'); // $1$ changed to $6$rounds=5000$
 	}
-}
+}

rainloop/v/0.0.0/app/libraries/MailSo/Base/Utils.php

@@ -2509,13 +2509,23 @@ public static function IdToHash($iID, $sSalt = '')
 	 */
 	public static function PasswordWeaknessCheck($sPassword)
 	{
-		$sPassword = \trim($sPassword);
-		if (6 > \strlen($sPassword))
-		{
-			return false;
-		}
+                $sPassword = \trim($sPassword);
+                if (12 > \strlen($sPassword))
+                {
+                        return false;
+                }
+
+                $uppercase = preg_match('@[A-Z]@', $sPassword);
+                $lowercase = preg_match('@[a-z]@', $sPassword);
+                $number    = preg_match('@[0-9]@', $sPassword);
+                $specialChars = preg_match('@[^\w]@', $sPassword);
+
+                if(!$uppercase || !$lowercase || !$number || !$specialChars) {
+                        return false;
+                }
+                else {
+                        return true;
+                }
 
-		$sLine = 'password 123.456 12345678 abc123 qwerty monkey letmein dragon 111.111 baseball iloveyou trustno1 1234567 sunshine master 123.123 welcome shadow ashley football jesus michael ninja mustang password1 123456 123456789 qwerty 111111 1234567 666666 12345678 7777777 123321 654321 1234567890 123123 555555 vkontakte gfhjkm 159753 777777 temppassword qazwsx 1q2w3e 1234 112233 121212 qwertyuiop qq18ww899 987654321 12345 zxcvbn zxcvbnm 999999 samsung ghbdtn 1q2w3e4r 1111111 123654 159357 131313 qazwsxedc 123qwe 222222 asdfgh 333333 9379992 asdfghjkl 4815162342 12344321 88888888 11111111 knopka 789456 qwertyu 1q2w3e4r5t iloveyou vfhbyf marina password qweasdzxc 10203 987654 yfnfif cjkysirj nikita 888888 vfrcbv k.,jdm qwertyuiop[] qwe123 qweasd natasha 123123123 fylhtq q1w2e3 stalker 1111111111 q1w2e3r4 nastya 147258369 147258 fyfcnfcbz 1234554321 1qaz2wsx andrey 111222 147852 genius sergey 7654321 232323 123789 fktrcfylh spartak admin test 123 azerty abc123 lol123 easytocrack1 hello saravn holysh!t test123 tundra_cool2 456 dragon thomas killer root 1111 pass master aaaaaa a monkey daniel asdasd e10adc3949ba59abbe56e057f20f883e changeme computer jessica letmein mirage loulou lol superman shadow admin123 secret administrator sophie kikugalanetroot doudou liverpool hallo sunshine charlie parola 100827092 michael andrew password1 fuckyou matrix cjmasterinf internet hallo123 eminem demo gewinner pokemon abcd1234 guest ngockhoa martin sandra asdf hejsan george qweqwe lollipop lovers q1q1q1 tecktonik naruto 12 password12 password123 password1234 password12345 password123456 password1234567 password12345678 password123456789 000000 maximius 123abc baseball1 football1 soccer princess slipknot 11111 nokia super star 666999 12341234 1234321 135790 159951 212121 zzzzzz 121314 134679 142536 19921992 753951 7007 1111114 124578 19951995 258456 qwaszx zaqwsx 55555 77777 54321 qwert 22222 33333 99999 88888 66666';
-		return false === \strpos($sLine, \strtolower($sPassword));
 	}
 }