From 1ca26066fd412911ba5a08461c0c076d93b12932 Mon Sep 17 00:00:00 2001 From: Harvie Date: Wed, 1 Dec 2010 04:03:07 +0100 Subject: [PATCH] Initial support for variable hashing alghorithms (currently login-only) --- doc/TODO | 7 ++----- wwwroot/inc/eventz/login.inc | 13 ++++++++++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/doc/TODO b/doc/TODO index f61c8f7..95ccf36 100644 --- a/doc/TODO +++ b/doc/TODO @@ -50,8 +50,5 @@ - Switch completely to Base36 (Templates, Links, don't change $_GET[], queries should convert between base10 in db and base36 in kyberia automatically, etc...) - (IMHO we should use SHA1 or stronger algorithm instead of MD5 for storing passwords) - (We can use multiple hash algorithms (so we'll have backward DB compatibility): - {SHA256}0654209dbde29a5c17e4f04ab63a91d303d2e7c791c7b5777581a7fa6550054e - {SHA1}f67c52c4a27cf05c99e4f3f946d6500f045a4735 - 5b077a0ab90992d9763c5b120b22c9d7 - ) Harvie + (We really need this... I've cracked Hromi's password in few seconds (even when it was relatively secure)) + (I've implemented this partially. We can now login using various hash algorithms, it's backward compatible, but we still need to edit registration/password changing to use SHA1 when updating passwords in DB) diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index c8b5ef8..154cdef 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -4,7 +4,14 @@ function login() { global $db,$error,$node_id; $login = mysql_real_escape_string($_POST['login']); $password = $_POST['password']; // Not SQLi but be carefull - $hash = md5($password); + $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' + + $hash_query='('; + foreach($password_hash_algos as $algo) { + $hash_query.="password='".hash($algo, $password)."' OR "; + } + $hash_query.='false )'; + $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; @@ -15,7 +22,7 @@ function login() { switch ($login_type) { case "name": - $q = "select * from users where login='$login' and password='$hash'"; + $q = "select * from users where login='$login' and $hash_query"; $set = $db->query($q); $set->next(); $user_id = $set->getString('user_id'); @@ -27,7 +34,7 @@ function login() { // HA! if it is number, escape_string is not enough $login=intval($login); - $q="select * from users where user_id='$login' and password='$hash'"; + $q="select * from users where user_id='$login' and $hash_query"; $set=$db->query($q); $set->next(); $user_id=$set->getString('user_id'); -- 2.30.2