Advisory 2020-04 Superadmin password is stored in clear text
The superadmin password for a multi-tenant system is stored in clear text in the configuration file which leaves the system open to security breaches.
Solution:
FileCloud Version 20.1 includes a script that admins must use to generate an encrypted superadmin password and paste it into the multi-tenant configuration file .
Note: The default password in the multi-tenant configuration file cannot be used to sign in to the system.
To generate the password:
Locate the script file:
Windows: C:/xampp/htdocs/resources/tools/security/passwordenc.php
Linux: /var/www/resources/tools/security/passwordenc.phpRun the script. Your password should look similar to the password generated in the following code:
C:\xampp\htdocs\resources\tools\security>set path=C:\xampp\php C:\xampp\htdocs\resources\tools\security>php passwordenc.php This tool generates an encrypted password string to paste into FileCloud configuration files Enter your desired password: testpassword Carefully copy paste the following string: $pbkdf2-sha512$50000$ENIGvUsu3T6rIbI5Bz9DXw$EwNxMRnJrMMjR8xP4nNwgq19voIzmp3bh9ATHXFn41tTybtfrVYTyJVqSxG4jDmMjtGdY7fIH2TopwuNjgFPYw Finished
- Copy the string.
- Find the sample multi-tenant config file:
Windows: C:/xampp/htdocs/config/multi-sample.php
Linux: /var/www/config/multi-sample.php - Copy multi-sample.php, and rename the copy multi.php.
Open multi.php and find the setting:
define("TONIDOCLOUD_MULTISITE_ADMIN_PASSWORD", 'Vrwfq7xNHV');
Paste the string generated by passwordenc.php over the password value:
define("TONIDOCLOUD_MULTISITE_ADMIN_PASSWORD", '$pbkdf2-sha512$50000$ENIGvUsu3T6rIbI5Bz9DXw$EwNxMRnJrMMjR8xP4nNwgq19voIzmp3bh9ATHXFn41tTybtfrVYTyJVqSxG4jDmMjtGdY7fIH2TopwuNjgFPYw');
Note: The encrypted password must be surrounded by single quotes (not double-quotes) or it will be broken.
- Save and close multi.php.
The user superadmin can now sign in using the clear text password you entered as your desired password in passwordenc.php.