Hi, Here's a patch for not sending passwords (with an option to keep the old behavior if you want to).
Thomas
>From d5471d0fa7e6554d7e17da9e319e252ce4e9d4aa Mon Sep 17 00:00:00 2001 From: Thomas Goirand <tho...@goirand.fr> Date: Tue, 22 Feb 2011 16:57:41 +0800 Subject: [PATCH 2/2] Fixes: CVE-2011-0436 (password being mailed in clear text) --- admin/dtc_db.php | 12 ++++++++---- admin/inc/dtc_config.php | 5 +++++ admin/tables/config.sql | 1 + client/new_account_form.php | 9 ++++++++- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/admin/dtc_db.php b/admin/dtc_db.php index e6ac59e..2ed1b76 100644 --- a/admin/dtc_db.php +++ b/admin/dtc_db.php @@ -165,10 +165,14 @@ $dtc_database = array( "named_slavezonefiles_path" => "varchar(255) NOT NULL default 'slave_zones' ", "named_zonefiles_path" => "varchar(255) NOT NULL default 'zones' ", "autogen_default_subdomains" => "enum('yes','no') NOT NULL default 'yes'", - "backup_script_path" => "varchar(255) NOT NULL default 'backup.bash' ", - "bakcup_path" => "varchar(255) NOT NULL default '/mnt/backup' ", - "webalizer_stats_script_path" => "varchar(255) NOT NULL default 'webalizer.bash' ", - "use_javascript" => "enum('yes','no') NOT NULL default 'yes' ", + "autogen_subdomain_list" => "varchar(255) NOT NULL default 'pop|imap|mail|smtp|ftp'", + "autogen_webmail_alias" => "enum('yes','no') NOT NULL default 'yes'", + "autogen_webmail_type" => "enum('squirrelmail','roundcube') NOT NULL default 'squirrelmail'", + "backup_script_path" => "varchar(255) NOT NULL default 'backup.bash'", + "bakcup_path" => "varchar(255) NOT NULL default '/mnt/backup'", + "webalizer_stats_script_path" => "varchar(255) NOT NULL default 'webalizer.bash'", + "use_javascript" => "enum('yes','no') NOT NULL default 'yes'", + "send_passwords_in_emails" => "enum('yes','no') NOT NULL default 'no'", "use_mail_alias_group" => "enum('yes','no') NOT NULL default 'yes'", "use_ssl" => "enum('yes','no') NOT NULL default 'no' ", "use_nated_vhost" => "enum('yes','no') NOT NULL default 'no' ", diff --git a/admin/inc/dtc_config.php b/admin/inc/dtc_config.php index bdc28a7..714d5c9 100644 --- a/admin/inc/dtc_config.php +++ b/admin/inc/dtc_config.php @@ -719,6 +719,11 @@ function drawGeneralConfig(){ "type" => "radio", "values" => array("yes","no"), "display_replace" => array(_("Yes"),_("No"))), + "send_passwords_in_emails" => array( + "legend" => _("Send passwords in registration emails: "), + "type" => "radio", + "values" => array("yes","no"), + "display_replace" => array(_("Yes"),_("No"))), "use_ssl" => array( "legend" => _("Use SSL: "), "type" => "radio", diff --git a/admin/tables/config.sql b/admin/tables/config.sql index db321fc..f342744 100644 --- a/admin/tables/config.sql +++ b/admin/tables/config.sql @@ -44,6 +44,7 @@ backup_script_path varchar(255) NOT NULL default 'backup.bash', bakcup_path varchar(255) NOT NULL default '/mnt/backup', webalizer_stats_script_path varchar(255) NOT NULL default 'webalizer.bash', use_javascript enum('yes','no') NOT NULL default 'yes', +send_passwords_in_emails enum('yes','no') NOT NULL default 'no', use_ssl enum('yes','no') NOT NULL default 'no', use_nated_vhost enum('yes','no') NOT NULL default 'no', nated_vhost_ip varchar(16) NOT NULL default '192.168.0.2', diff --git a/client/new_account_form.php b/client/new_account_form.php index 4ba0249..1a7b959 100644 --- a/client/new_account_form.php +++ b/client/new_account_form.php @@ -9,6 +9,7 @@ function register_user($adding_service="no"){ global $conf_selling_conditions_url; global $conf_message_subject_header; + global $conf_send_passwords_in_emails; global $secpayconf_currency_letters; @@ -373,11 +374,17 @@ VALUES('".$_REQUEST["reqadm_login"]."', $the_prod = $a["name"]." (".$a["price_dollar"]." $secpayconf_currency_letters)"; } +if($conf_send_passwords_in_emails == "yes"){ + $pass_for_email = $_REQUEST["reqadm_pass"]; +}else{ + $pass_for_email = _("- password removed for security reasons -"); +} + $mail_content = " Somebody tried to register an account. Here is the details of the new user: login: ".$_REQUEST["reqadm_login"]." -pass: ".$_REQUEST["reqadm_pass"]." +pass: ".$pass_for_email." domain: ".$_REQUEST["domain_name"]." Company name: ".$_REQUEST["compname"]." First name: ".$_REQUEST["firstname"]." -- 1.7.2.3