Greetings,
I'll start by saying that I am not a C programmer, but I have been
looking through the source code trying to get this functionality to
work. Here's my end goal.
The username is converted to lowercase
The password is converted to lowercase
They are compared and if the same or similar an error is generated.
Now, I know that this is similar to the trivial passwords check, but
there is a difference that I will explain.
I have patched qmailamin 1.2.15 to use the cracklib patch, and that is
working well. I enabled trivial password checking and that works,
mostly. I have been able to still get by a weak combination using the
following:
username: TestWeak1
password: TestWeak1
What I believe is happening is that qmailadmin is converting the
username to lowercase at some point but leaving the password
unaltered. When it does the strstr compare it doesn't match, so it
passes the combination as being good.
I tried cobbling this together:
GetValue(TmpCGI,Newu, "newu=", tolower(Newu));
GetValue(TmpCGI,Password1, "password1=", tolower(Password1));
if ( strstr(Newu,Password1) !=NULL ) {
snprintf (StatusMessage, "Bad username and password combination,
to similar - %s\n", html_text[175]);
adduser();
vclose();
exit(0);
}
But while that compiles without an error, qmailadmin fails when I try
to add a new user.
I've tried searching various C programming pages, but without a solid
frame of reference I am just taking stabs in the dark.
Does anyone have a way to include this functionality??
Thanks,
-Adam
!DSPAM:4fcc0ea034201610612305!
