Password hash is accepted instead of the plaintext password

[sigprof]

In iRedAdmin 2.6 it is possible to login by entering the password hash value into the login form instead of the corresponding plaintext password. This defeats any protection normally provided by password hashing (usually a leaked password hash does not give access immediately, because finding the matching plaintext password should be expensive, but with this implementation the password hash becomes equivalent to the plaintext password).

Looks like this code is the culprit — it accepts a plaintext match without the prefix even if the value stored in the database is actually a password hash:

iRedAdmin/libs/iredpwd.py

Lines 516 to 521 in b537e71

	if challenge_password in [
	plain_password,
	"{PLAIN}" + plain_password,
	"{plain}" + plain_password,
	]:
	return True

This kind of plaintext password matching probably should be behind some configuration option, so that the default configuration is secure.