https://www.ejabberd.im/node/5841 en https://www.ejabberd.im/node/5841#comment-59016 <p>It has been fixed in ejabberd 2.1.x branch recently.</p> Mon, 27 Aug 2012 15:36:15 +0000 mfoss comment 59016 at https://www.ejabberd.im https://www.ejabberd.im/node/5841#comment-58867 <p>Missed the big ticket item out of ejabberd_commands.erl:</p> <div class="codeblock"><code>check_auth({User, Server, Password}) -&gt;<br />&nbsp;&nbsp;&nbsp; %% Check the account exists and password is valid<br />&nbsp;&nbsp;&nbsp; AccountPass = ejabberd_auth:get_password_s(User, Server),<br />&nbsp;&nbsp;&nbsp; AccountPassMD5 = get_md5(AccountPass),<br />&nbsp;&nbsp;&nbsp; case Password of<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AccountPass -&gt; {ok, User, Server};<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AccountPassMD5 -&gt; {ok, User, Server};<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _ -&gt; throw({error, invalid_account_data})<br />&nbsp;&nbsp;&nbsp; end. <p>get_md5(AccountPass) -&gt;<br />&nbsp;&nbsp;&nbsp; lists:flatten([io_lib:format(&quot;~.16B&quot;, [X])<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; || X &lt;- binary_to_list(crypto:md5(AccountPass))]).</p></code></div> <p>This also means that if I'm able to sneak a peek at the database, I could still authenticate as admin for user credentials because it allows for plain text matching in the commands module.</p> Thu, 12 Jul 2012 20:57:48 +0000 Zach Calvert comment 58867 at https://www.ejabberd.im https://www.ejabberd.im/node/5841#comment-58866 <p>Discovered that the problem is that ejabberd authentication for command execution is different than the authentication for users. From ejabberd_commands.erl:</p> <div class="codeblock"><code>check_access(all, _) -&gt;<br />&nbsp;&nbsp;&nbsp; true;<br />check_access(Access, Auth) -&gt;<br />&nbsp;&nbsp;&nbsp; {ok, User, Server} = check_auth(Auth),<br />&nbsp;&nbsp;&nbsp; %% Check this user has access permission<br />&nbsp;&nbsp;&nbsp; case acl:match_rule(Server, Access, jlib:make_jid(User, Server, &quot;&quot;)) of<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow -&gt; true;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; deny -&gt; false<br />&nbsp;&nbsp;&nbsp; end.</code></div> <p>The fix is to fix the commands module to use the cyrsasl behavior. Has anyone done this before?</p> Thu, 12 Jul 2012 20:49:14 +0000 Zach Calvert comment 58866 at https://www.ejabberd.im https://www.ejabberd.im/node/5841#comment-58865 <p>The mod rest call with an http post fails a the following response:<br /> Error: invalid_account_data</p> <p>The only place I find that atom referenced is not in the mod_rest code, nor even in the ejabberd code, but it is present in the ejabberd comments for the /ejabberd-2.1.11/src/ejabberd_commands.erl code. It looks like the commands module is not making use of the cryptography change.</p> <p>Is this a configuration element or can I enable it?</p> Thu, 12 Jul 2012 20:45:54 +0000 Zach Calvert comment 58865 at https://www.ejabberd.im