[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RE : how to generate passwords?

To: Jean-Rene Cormier <jrclist@cipanb.ca>
Subject: Re: RE : how to generate passwords?
From: Adam Williams6 <awilliam@whitemice.org>
Date: Tue, 19 Mar 2002 15:56:04 -0500 (EST)
Cc: "'Umesha Balasubramaniam'" <umeshajb@goshen.edu>, <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.44.0203191531460.13875-100000@estate1.whitemice.org>

>>I’ve set up OpenLDAP to do user authentication for a server and now I’m
>>trying to make a script so user could change their password from the web
>>in PHP but I can generate the password using the crypt function in PHP
>>and putting {crypt}whateverpassword  in the userPassword attribute and I
>>can log in using SSH but I can’t bind using the script I made anymore…
>>Anybody could help me with a way to generate passwords in PHP? And also
>>how do you generate password for the lmPassword and ntPassword? Thanks
>> 
>>Jean-Rene Cormier
>>$crypt_userpassword = shell_exec("/usr/sbin/slappasswd -h {crypt} -s
>>$userpassword");

Be certain to test the password before doing a shell_exec.  How does this 
come out if someone enters a space in their password?  Will the second 
part be interpreted as an options to slappasswd?  How about if I enter 
"blahblah;rm -fR /tmp/*" or "blahblah;ls -lR /proc" or "blahblah; cat 
/dev/zero" as my password?  Or I'm clever and do a POST with something 
like curl containing enough backspace characters to wipe out the 
slappasswd command and then whatever I want.

See the escapeshellcmd PHP function all and think real hard about ways 
to exploit this.

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------

References:
- Re: RE : how to generate passwords?
  - From: Adam Williams6 <awilliam@whitemice.org>

Prev by Date: Re: RE : how to generate passwords?
Next by Date: Re: RE : how to generate passwords?
Index(es):
- Chronological
- Thread