FreeNas – Clear text passwords

Source: https://sourceforge.net/p/nas4free/feature-requests/26/

Just noticed this my self, while doing some routine backup. The main problem is not during backup, but also one a live system. The whole system uses clear text password, just have a look at /cf/conf/config.xml.

The php code is really simple, and I managed to do a quick fix for admin users.

/usr/local/www/login.php line: 46
OLD: $_POST[‘password’] === $config[‘system’][‘password’]) {
NEW: password_verify($_POST[‘password’], $config[‘system’][‘password’])) {

/usr/local/www/system_password.php line: 70
OLD: $config[‘system’][‘password’] = $_POST[‘password_new’];
NEW: $config[‘system’][‘password’]  =password_hash($_POST[‘password_new’], PASSWORD_DEFAULT);

Is this the way to go? Is it good enough?
If so, I could easy write up a patch and make it valid for normal users too…

Hmm, on a side note, this will probably not work as a permanent solution, need to look into this a bit more…

 

Leave a Comments