ajrockefeller / openfpc

Automatically exported from code.google.com/p/openfpc
0 stars 0 forks source link

BUG: Login fault in password hashing function. #35

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

login.php:
-----------------------------------------------------------

108     if($securePassword){
109         $password = sha1($username . $password);
110     }

useradd.php:
-----------------------------------------------------------
217         if ($securePassword){
218             // Salt the pw with the username
219             $password=sha1($password1 . $username);
220         }

This time , password is saved as cleartext: 

236 function updateuser() {
237     global $username, $password1, $password2, $timezone, $deafultnode, 
$realname, $description, $email, $guilink,$usertimezone;
238     checkauth();
239
240     if ( ! iscurrentuser($username) ) {
241         showhead();
242         showerror("User Doesn't exist! Are you trying to create a new 
user?");
243         newuser();
244     } elseif ($password1 == "") {
245         showhead();
246         showerror("Error: Blank password not allowed.");
247         newuser();
248     } elseif ( $password1 == $password2 ) {
249         showhead();
250         $guilink=guiDB();
251         $query="UPDATE users SET password = '$password1',
252                                 realname = '$realname',
253                                 email = '$email',
254                                 description = '$description',
255                                 timezone = '$usertimezone',
256                                 defaultnode = '$deafultnode'
257             WHERE username = '$username'";
258         $result=mysql_query($query, $guilink) or die("GUI DB Eror: 
".mysql_error());
259         showsuccess("User Updated");
260         showusertable();
261
262     } else {
263         showhead();
264         showerror("Passwords do not match.");
265         newuser();
266     }
267 }

Original issue reported on code.google.com by Laurel.W...@gmail.com on 5 Oct 2012 at 12:01

GoogleCodeExporter commented 8 years ago
I solved the problems by changing useradd.php file. 

Don't know how to make a pull request, so here's the diff:

$ diff useradd-svn.php useradd-modified.php 
219c219
<             $password=sha1($password1 . $username);
---
>             $password=sha1($username . $password1);
237c237
<     global $username, $password1, $password2, $timezone, $deafultnode, 
$realname, $description, $email, $guilink,$usertimezone;
---
>     global $username, $password1, $password2, $timezone, $deafultnode, 
$realname, $description, $email, $guilink,$usertimezone, $securePassword;
249a250,253
>         if ($securePassword){
>             // Salt the pw with the username
>             $password=sha1($username . $password1);
>         }
251c255
<         $query="UPDATE users SET password = '$password1',
---
>         $query="UPDATE users SET password = '$password',

If you ended up without access to the web GUI, you can follow these steps to 
regain access after applying these changes to the code: 
1.- Access to the DB and change the password to something easy (i.e. 'asdf')
    mysql -u root -p
    select * from openfpcgui.users;
    update openfpcgui.users set password='asdf' where id=<myuserid>;
2.- Set $securePassword=0 in includes/config.inc.php
3.- Login with the new password.
4.- Set $securePassword=1 in includes/config.inc.php
5.- Change the password through the GUI.
6.- Enjoy.

Original comment by jovi...@gmail.com on 22 Jul 2014 at 10:33