malhuda/developer
1
0
Fork 0
mirror of https://github.com/easy-wi/developer.git synced 2025-02-20 11:23:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

#15: PHP 5.5 hash API

Browse Source
This commit is contained in:
Ulrich Block 2013-10-18 18:38:09 +02:00
parent 787d28e8d0
commit 2f606b3d3d
13 changed files with 420 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
THIRDPARTY
View File

@ -25,4 +25,10 @@ https://github.com/aFarkas/html5shiv
These icons are public domain, and as such are free for any use (attribution appreciated but not required).
Note that these flags are named using the ISO3166-1 alpha-2 country codes where appropriate. A list of codes can be found at http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
If you find these icons useful, please donate via paypal to mjames@gmail.com (or click the donate button available at http://www.famfamfam.com/lab/icons/silk)
Contact: mjames@gmail.com
Contact: mjames@gmail.com
* password_compat
https://github.com/ircmaxell/password_compat/
Copyright Anthony Ferrara
Released under the MIT license
http://opensource.org/licenses/MIT

138
external/api_users.php vendored
View File

@ -89,8 +89,9 @@ if (count($error)>0) {
$pdo=new PDO("mysql:host=".$config['dbHost'].";dbname=".$config['dbName'],$config['dbUser'],$config['dbPwd'],array(PDO::MYSQL_ATTR_INIT_COMMAND=>"SET NAMES utf8"));
$pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
// JSON array
$json=array();
// Define default values so we always have a proper return
$total = 0;
$json = array();
// User export
if ($list == 'user') {
@ -148,20 +149,21 @@ if (count($error)>0) {
} else if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
// The Query needs to be altered to your database. This is just an example!
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_members`
WHERE `rank`=1";
$query=$pdo->prepare($sql);
$query->execute(array($lastID,$updateTime));
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_members`
WHERE `rank`=1
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute(array($lastID,$updateTime));
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
// Easy-Wi stores the salutation with numbers
// Teklab has also 3 for company which Easy-WI currently does not maintain
if ($row['title'] == 0) {
$salutation = 1;
} else if ($row['title']==1) {
@ -170,6 +172,7 @@ if (count($error)>0) {
$salutation = null;
}
// Easy-WI uses ISO code for storing countries
if ($row['country'] == 1) {
$country = 'de';
} else if ($row['country'] == 2) {
@ -182,8 +185,9 @@ if (count($error)>0) {
$country = null;
}
// Street and streetnumber are stored in the same column Easy-WI has individual columns
$exploded = explode(" ", $row['street']);
if (count($exploded) > 2) {
if (count($exploded) > 1) {
$streetNumber = $exploded[count($exploded) - 1];
unset($exploded[count($exploded) - 1]);
$streetName = implode(' ', $exploded);
@ -191,8 +195,7 @@ if (count($error)>0) {
$streetName = null;
$streetNumber = null;
}
// the keys needs to be adjusted to your table layout and query!
$json[]=array(
'externalID' => $row['id'],
'salutation' => $salutation,
@ -215,29 +218,114 @@ if (count($error)>0) {
);
}
}
// Echo the JSON reply with
echo json_encode(array('total' => $total,'entries' => $json));
} else if ($list == 'substitutes' and $config['sourceType']=='teklab') {
die;
/**
} else if ($list == 'gameroots') {
if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_rootserver`
WHERE `active`=1
AND `games`=1";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_rootserver`
WHERE `active`=1
AND `games`=1
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'userID' => $row['memberid'],
'description' => $row['name'],
'serverIP' => $row['serverip'],
'sshPort' => $row['sshport'],
'ftpPort' => $row['ftpport'],
'cpuCores' => $row['cpucores'],
'maxRam' => $row['ram']
);
}
} else if ($list == 'dedicated' and $config['sourceType']=='teklab') {
die;
}
} else if ($list == 'gameimages') {
if ($config['sourceType']=='teklab') {
} else if ($list == 'gameserver' and $config['sourceType']=='teklab') {
die;
}
} else if ($list == 'gameserver') {
if ($config['sourceType']=='teklab') {
} else if ($list == 'voice' and $config['sourceType']=='teklab') {
die;
}
/**
} else if ($list == 'addons') {
if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_games_addons`";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_games_addons`
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'name' => $row['addonname'],
'description' => $row['text'],
'shortName' => $row['sname']
);
}
} else if ($list == 'node' and $config['sourceType']=='teklab') {
die;
} else if ($list == 'virt' and $config['sourceType']=='teklab') {
die;
}
**/
} else if ($list == 'voice') {
if ($config['sourceType']=='teklab') {
}
// Substitutes at last so we can get access permissions as well
} else if ($list == 'substitutes') {
if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_subusers`";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_subusers`
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'belongsToExternalID' => $row['memberid'],
'loginName' => $row['user'],
'firstName' => null,
'lastName' => null,
'password' => $row['password']
);
}
}
}
// Catch database error and display
// Echo the JSON reply with
echo json_encode(array('total' => $total,'entries' => $json));
// Catch database error and display
} catch(PDOException $error) {
echo json_encode(array('error' => $error->getMessage()));
}

61
web/login.php
View File

@ -50,6 +50,7 @@ if (is_dir(EASYWIDIR . '/install')) {
include(EASYWIDIR . '/stuff/vorlage.php');
include(EASYWIDIR . '/stuff/class_validator.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
include(EASYWIDIR . '/stuff/functions.php');
include(EASYWIDIR . '/stuff/settings.php');
include(EASYWIDIR . '/stuff/keyphrasefile.php');
@ -150,19 +151,17 @@ if ($ui->st('w', 'get') == 'lo') {
} else if ($ui->password('password1', 255, 'post') and $ui->password('password2', 255, 'post') and $ui->w('token', 32, 'get')) {
if ($ui->password('password1', 255, 'post')==$ui->password('password2', 255, 'post')) {
if ($ui->password('password1', 255, 'post') == $ui->password('password2', 255, 'post')) {
$query = $sql->prepare("SELECT `id`,`cname` FROM `userdata` WHERE `token`=? LIMIT 1");
$query->execute(array($ui->w('token',32, 'get')));
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$username = $row['cname'];
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$password = createHash($username, $ui->password('password1', 255, 'post'), $salt, $aeskey);
$text = $sprache->passwordreseted;
$query2 = $sql->prepare("UPDATE `userdata` SET `token`='',`security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query2->execute(array($password, $salt, $row['id']));
$query2 = $sql->prepare("UPDATE `userdata` SET `token`='',`security`=? WHERE `id`=? LIMIT 1");
$query2->execute(array(password_hash($ui->password('password1', 255, 'post'), PASSWORD_DEFAULT), $row['id']));
}
} else if ($ui->password('password1', 255, 'post') != $ui->password('password2', 255, 'post')) {
@ -223,36 +222,15 @@ if ($ui->st('w', 'get') == 'lo') {
$id = $row['id'];
$active = $row['active'];
$mail = $row['mail'];
$salt = $row['salt'];
$externalID = $row['externalID'];
$security = $row['security'];
$resellerid = $row['resellerid'];
$accounttype = $row['accounttype'];
$userpassNew = createHash($username, $password, $salt, $aeskey);
$passwordCorrect = passwordCheck($password, $row['security'], $row['cname'], $row['salt'], $aeskey);
if (isset($security) and $security != $userpassNew) {
$userpassOld = passwordhash($username, $password);
// some systems do not care about security at all.
// In case we imported users from such insecure implementations we need to migrate to something safe
$md5Import = md5($password);
if ($userpassOld == $security or $md5Import == $security) {
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$userpass = ($userpassOld == $security) ? $userpassOld : $security;
$query = $sql->prepare("UPDATE `userdata` SET `security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query->execute(array(createHash($username, $password, $salt, $aeskey), $salt, $id));
} else {
$userpass = $userpassNew;
}
} else {
$userpass = $userpassNew;
if ($passwordCorrect !== true and $passwordCorrect !== false) {
$query = $sql->prepare("UPDATE `userdata` SET `security`=? WHERE `id`=? LIMIT 1");
$query->execute(array($passwordCorrect, $id));
}
}
@ -267,14 +245,18 @@ if ($ui->st('w', 'get') == 'lo') {
$id = $row['userID'];
$username = $row['loginName'];
$active = $row['active'];
$salt = $row['salt'];
$security = $row['passwordHashed'];
$resellerid = $row['resellerID'];
$userpass = createHash($username, $password, $salt, $aeskey);
$passwordCorrect = passwordCheck($password, $row['passwordHashed'], $row['loginName'], $row['salt'], $aeskey);
if ($passwordCorrect !== true and $passwordCorrect !== false) {
$query = $sql->prepare("UPDATE `userdata_substitutes` SET `passwordHashed`=? WHERE `sID`=? LIMIT 1");
$query->execute(array($passwordCorrect, $sID));
}
}
}
if (isset($active) and $active == 'Y' and $security != $userpass) {
if (!isset($sID) and isset($active) and $active == 'Y' and isset($passwordCorrect) and $passwordCorrect === false) {
$authLookupID = ($resellerid == $id) ? 0 : $resellerid;
@ -316,11 +298,10 @@ if ($ui->st('w', 'get') == 'lo') {
if ($xmlReply and isset($xmlReply->success) and $xmlReply->success == 1 and $xmlReply->user == $username) {
$externalOK = 1;
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$passwordCorrect = true;
$query = $sql->prepare("UPDATE `userdata` SET `security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query->execute(array(createHash($username, $password, $salt, $aeskey), $salt, $id));
$query = $sql->prepare("UPDATE `userdata` SET `security`=? WHERE `id`=? LIMIT 1");
$query->execute(array(password_hash($password, PASSWORD_DEFAULT), $id));
} else if ($xmlReply and isset($xmlReply->error)) {
$externalAuthError = $xmlReply->error;
@ -331,7 +312,7 @@ if ($ui->st('w', 'get') == 'lo') {
}
}
if (isset($active) and $active == 'Y' and ($security == $userpass or (isset($externalOK) and $externalOK == 1))) {
if (isset($active) and $active == 'Y' and isset($passwordCorrect) and $passwordCorrect) {
session_unset();
session_destroy();
@ -433,7 +414,7 @@ if ($ui->st('w', 'get') == 'lo') {
}
}
} else if (!isset($security) or $security != $userpass) {
} else if (!isset($passwordCorrect) or $passwordCorrect === false) {
$halfhour = date('Y-m-d H:i:s', strtotime('+30 minutes'));

15
web/stuff/api_users.php
View File

@ -38,6 +38,7 @@
*/
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
$username = '';
$externalID = '';
@ -170,11 +171,14 @@ if (array_value_exists('action','add',$data)) {
}
if (!isset($success) and isset($localID) and isset($insert) and $insert == true) {
if (!isset($data['password']) or in_array($data['password'],$bad)) $password=passwordgenerate(10);
$passwordhash=createHash($username,$password,$salt,$aeskey);
$query = $sql->prepare("UPDATE `userdata` SET `cname`=?,`security`=? WHERE `id`=? LIMIT 1");
$query->execute(array($username,$passwordhash,$localID));
$query->execute(array($username, password_hash($password, PASSWORD_DEFAULT), $localID));
$query = $sql->prepare("INSERT INTO `userdata_groups` (`userID`,`groupID`,`resellerID`) VALUES (?,?,?)");
foreach ($userGroupIDs as $groupID) $query->execute(array($localID,$groupID,$resellerID));
foreach ($userGroupIDs as $groupID) {
$query->execute(array($localID, $groupID, $resellerID));
}
} else if (!isset($success)) {
$success['false'][] = 'Could not write user to database';
}
@ -200,10 +204,7 @@ if (array_value_exists('action','add',$data)) {
$what = array();
if (isset($data['password']) and !in_array($data['password'],$bad)) {
$password = $data['password'];
$salt=md5(mt_rand().date('Y-m-d H:i:s:u'));
$security=createHash($name,$data['password'],$salt,$aeskey);
$what['security'] = $security;
$what['salt'] = $salt;
$what['security'] = password_hash($password, PASSWORD_DEFAULT);
}
if (isset($data['email']) and ismail($data['email'])) {
$what['mail'] = $data['email'];

20
web/stuff/functions.php
View File

@ -89,7 +89,25 @@ if (!function_exists('passwordgenerate')) {
return false;
}
function passwordCheck ($password, $storedHash, $username = '', $salt = '', $aeskey = '') {
// Easy-WI uses the PHP hash API introduced with version 5.5.
// Return true in case the password is ok
if (password_verify($password, $storedHash)) {
return true;
// Password is correctly but stored in an old or insecure format. We need to hash it with a secure implementation.
// Insecure implementations like md5 or sha1 are imported from other systems with the cloud.php job.
} else if (createHash($username, $password, $salt, $aeskey) == $storedHash or md5($password) == $storedHash or sha1($password) == $storedHash or passwordhash($username, $password) == $storedHash) {
return password_hash($password, PASSWORD_DEFAULT);
}
// Password Is Not Correct
return false;
}
function szrp ($value) {
$szrm = array('ä' => 'ae','ö' => 'oe','ü' => 'ue','Ä' => 'Ae','Ö' => 'Oe','Ü' => 'Ue','ß' => 'ss','á' => 'a','à' => 'a','Á' => 'A','À' => 'A','é' => 'e','è' => 'e','É' => 'E','È' => 'E','ó' => 'o','ò' => 'o','Ó' => 'O','Ò' => 'O','ú' => 'u','ù' => 'u','Ú' => 'U','Ù' => 'U');
return strtolower(preg_replace('/[^a-zA-Z0-9]{1}/', '-', strtr($value, $szrm)));

7
web/stuff/global_userdata.php
View File

@ -36,6 +36,7 @@
*/
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
if ($ui->st('w', 'get') == 'se') {
if ((!isset($user_id) or $main!=1) or (isset($user_id) and !$pa['usersettings'])) {
@ -88,10 +89,8 @@ if ($ui->st('d', 'get') == 'pw') {
$query = $sql->prepare("SELECT `cname` FROM `userdata` WHERE `id`=? AND `resellerid`=? LIMIT 1");
$query->execute(array($lookUpID,$reseller_id));
$cname = $query->fetchColumn();
$salt = md5(mt_rand().date('Y-m-d H:i:s:u'));
$security = createHash($cname,$ui->password('pass2', 255, 'post'),$salt,$aeskey);
$query = $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=?,`salt`=? WHERE `id`=? AND `resellerid`=? LIMIT 1");
$query->execute(array($security,$salt,$lookUpID,$reseller_id));
$query = $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=? WHERE `id`=? AND `resellerid`=? LIMIT 1");
$query->execute(array(password_hash($password, PASSWORD_DEFAULT) ,$lookUpID,$reseller_id));
if ($query->rowCount()>0) {
$template_file = $spracheResponse->table_add;
$loguseraction="%psw% %user% $cname";

8
web/stuff/page_register.php
View File

@ -1,4 +1,5 @@
<?php
/**
* File: page_register.php.
* Author: Ulrich Block
@ -37,6 +38,8 @@
* Programm erhalten haben. Wenn nicht, siehe <http://www.gnu.org/licenses/>.
*/
include(EASYWIDIR . '/third_party/password_compat/password.php');
if (!isset($page_include) or (isset($user_id)) or isset($admin_id) or isset($reseller_id)) {
if (isset($page_data->canurl)) header('Location: '.$page_data->canurl);
else header('Location: index.php');
@ -159,11 +162,8 @@ if (isset($registration) and in_array($registration, array('A','M','D'))) {
$query->execute(array($mail,$activeHash,$salutation = $ui->id('salutation',1, 'post'),$ui->st('country', 'post'),$name,$vname,$bday,$ui->phone('phone',50, 'post'),$ui->phone('fax',50, 'post'),$ui->phone('handy',50, 'post'),$ui->names('city',50, 'post'),$ui->id('cityn',6, 'post'),$ui->names('street',50, 'post'),$ui->w('streetn',6, 'post')));
$userID = $sql->lastInsertId();
// generate hash
$hash=createHash($rSA['prefix2'].$userID,$ui->password('password',100, 'post'),$userSalt,$aeskey);
$query = $sql->prepare("UPDATE `userdata` SET `cname`=?,`security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query->execute(array($rSA['prefix2'].$userID,$hash,$userSalt,$userID));
$query->execute(array($rSA['prefix2'].$userID, password_hash($ui->password('password', 100, 'post'), PASSWORD_DEFAULT), $userID));
// Setup default Group
$query = $sql->prepare("SELECT `id` FROM `usergroups` WHERE `grouptype`='u' AND `active`='Y' AND `defaultgroup`='Y' AND `resellerid`=0 LIMIT 1");

23
web/stuff/user.php
View File

@ -1,4 +1,5 @@
<?php
/**
* File: user.php.
* Author: Ulrich Block
@ -34,11 +35,14 @@
* Sie sollten eine Kopie der GNU General Public License zusammen mit diesem
* Programm erhalten haben. Wenn nicht, siehe <http://www.gnu.org/licenses/>.
*/
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
if ((!isset($admin_id) or $main!=1) or (isset($admin_id) and !$pa['user'] and !$pa['user_users'])) {
header('Location: admin.php');
die();
}
include(EASYWIDIR . '/stuff/keyphrasefile.php');
$sprache = getlanguagefile('user',$user_language,$reseller_id);
$rsprache = getlanguagefile('reseller',$user_language,$reseller_id);
$loguserid = $admin_id;
@ -281,17 +285,14 @@ if ($ui->w('action', 4, 'post') and !token(true)) {
$resellersid = $reseller_id;
}
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$security2 = createHash($cnamenew, $password, $salt, $aeskey);
$query = $sql->prepare("UPDATE `userdata` SET `cname`=?,`security`=?,`salt`=?,`resellerid`=? WHERE `id`=? LIMIT 1");
$query = $sql->prepare("UPDATE `userdata` SET `cname`=?,`security`=?,`resellerid`=? WHERE `id`=? LIMIT 1");
if ($user_accounttype == 'a') {
$query->execute(array($cnamenew, $security2, $salt, $id, $id));
$query->execute(array($cnamenew, password_hash($password, PASSWORD_DEFAULT), $id, $id));
} else if ($user_accounttype == 'r' and $admin_id == $reseller_id) {
$query->execute(array($cnamenew, $security2, $salt, $reseller_id, $id));
$query->execute(array($cnamenew, password_hash($password, PASSWORD_DEFAULT), $reseller_id, $id));
} else if ($user_accounttype == 'r') {
$query->execute(array($cnamenew, $security2, $salt, $admin_id, $id));
$query->execute(array($cnamenew, password_hash($password, PASSWORD_DEFAULT), $admin_id, $id));
}
sendmail('emailuseradd',$id,$cnamenew,$password);
@ -631,10 +632,8 @@ if ($ui->w('action', 4, 'post') and !token(true)) {
} else {
if ($reseller_id != 0 and $admin_id != $reseller_id) $reseller_id = $admin_id;
$password = $ui->password('password',20, 'post');
$salt=md5(mt_rand().date('Y-m-d H:i:s:u'));
$security=createHash($cname,$password,$salt,$aeskey);
$query=($reseller_id == 0) ? $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=?,`salt`=? WHERE id=? AND (`resellerid`=? OR `id`=`resellerid`) LIMIT 1") : $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=?,`salt`=? WHERE id=? AND `resellerid`=? LIMIT 1");
$query->execute(array($security,$salt,$id,$reseller_id));
$query=($reseller_id == 0) ? $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=? WHERE id=? AND (`resellerid`=? OR `id`=`resellerid`) LIMIT 1") : $sql->prepare("UPDATE `userdata` SET `updateTime`=NOW(),`security`=?,`salt`=? WHERE id=? AND `resellerid`=? LIMIT 1");
$query->execute(array(password_hash($password, PASSWORD_DEFAULT), $id, $reseller_id));
$template_file = $spracheResponse->table_add ."<br />";
$loguseraction="%psw% %user% $cname";
$insertlog->execute();

13
web/stuff/userpanel_substitutes.php
View File

@ -39,13 +39,14 @@
* Programm erhalten haben. Wenn nicht, siehe <http://www.gnu.org/licenses/>.
*/
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
if (!isset($main) or $main!=1 or !isset($user_id) or !isset($user_language) or !isset($reseller_id) or isset($_SESSION['substitute'])) {
header('Location: userpanel.php');
die;
}
include(EASYWIDIR . '/stuff/keyphrasefile.php');
$sprache = getlanguagefile('user',$user_language,$reseller_id);
if ($ui->w('action', 4, 'post') and !token(true)) {
$template_file = $spracheResponse->token;
@ -113,8 +114,8 @@ if ($ui->w('action', 4, 'post') and !token(true)) {
$template_file = $userError;
} else {
$salt=md5(mt_rand().date('Y-m-d H:i:s:u'));
$query = $sql->prepare("INSERT INTO `userdata_substitutes` (`userID`,`active`,`loginName`,`name`,`vname`,`salt`,`passwordHashed`,`resellerID`) VALUES (?,?,?,?,?,?,?,?)");
$query->execute(array($user_id,$ui->active('active', 'post'),$ui->names('loginName',255, 'post'),$ui->names('name',255, 'post'),$ui->names('vname',255, 'post'),$salt,createHash($ui->names('loginName',255, 'post'),$ui->password('security',255, 'post'),$salt,$aeskey),$reseller_id));
$query = $sql->prepare("INSERT INTO `userdata_substitutes` (`userID`,`active`,`loginName`,`name`,`vname`,`passwordHashed`,`resellerID`) VALUES (?,?,?,?,?,?,?)");
$query->execute(array($user_id,$ui->active('active', 'post'),$ui->names('loginName',255, 'post'),$ui->names('name',255, 'post'),$ui->names('vname',255, 'post'), password_hash($ui->password('security',255, 'post'), PASSWORD_DEFAULT), $reseller_id));
if ($query->rowCount()>0) {
$changed = true;
}
@ -126,8 +127,8 @@ if ($ui->w('action', 4, 'post') and !token(true)) {
$query = $sql->prepare("SELECT `loginName` FROM `userdata_substitutes` WHERE `sID`=? AND `resellerID`=? LIMIT 1");
$query->execute(array($id,$reseller_id));
$loginName = $query->fetchColumn();
$query = $sql->prepare("UPDATE `userdata_substitutes` SET `active`=?,`name`=?,`vname`=?,`salt`=?,`passwordHashed`=? WHERE `sID`=? AND `userID`=? AND `resellerID`=? LIMIT 1");
$query->execute(array($ui->active('active', 'post'),$ui->names('name',255, 'post'),$ui->names('vname',255, 'post'),$salt,createHash($loginName,$ui->password('security',255, 'post'),$salt,$aeskey),$id,$user_id,$reseller_id));
$query = $sql->prepare("UPDATE `userdata_substitutes` SET `active`=?,`name`=?,`vname`=?,`passwordHashed`=? WHERE `sID`=? AND `userID`=? AND `resellerID`=? LIMIT 1");
$query->execute(array($ui->active('active', 'post'),$ui->names('name',255, 'post'),$ui->names('vname',255, 'post'),password_hash($ui->password('security',255, 'post'), PASSWORD_DEFAULT), $id,$user_id,$reseller_id));
} else {
$query = $sql->prepare("UPDATE `userdata_substitutes` SET `active`=?,`name`=?,`vname`=? WHERE `sID`=? AND `userID`=? AND `resellerID`=? LIMIT 1");
$query->execute(array($ui->active('active', 'post'),$ui->names('name',255, 'post'),$ui->names('vname',255, 'post'),$id,$user_id,$reseller_id));

8
web/stuff/voice_master.php
View File

@ -41,6 +41,7 @@
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/stuff/class_voice.php');
include(EASYWIDIR . '/stuff/ssh_exec.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
if ((!isset($admin_id) or $main != 1) or (isset($admin_id) and !$pa['voicemasterserver'])) {
header('Location: admin.php');
@ -662,12 +663,9 @@ if ($ui->w('action',4, 'post') and !token(true)) {
}
if ($usernew == true) {
$initialpassword = passwordgenerate(10);
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$security = createHash($ui->username("$virtualserver_id-username",50, 'post'), $initialpassword, $salt, $aeskey);
$query = $sql->prepare("INSERT INTO `userdata` (`cname`,`security`,`mail`,`accounttype`,`salt`,`resellerid`) VALUES (?,?,?,'u',?,?)");
$query->execute(array($ui->username("$virtualserver_id-username",50, 'post'), $security, $ui->ismail("$virtualserver_id-email", 'post'), $salt, $reseller_id));
$query = $sql->prepare("INSERT INTO `userdata` (`cname`,`security`,`mail`,`accounttype`,`resellerid`) VALUES (?,?,?,'u',?)");
$query->execute(array($ui->username("$virtualserver_id-username",50, 'post'), password_hash(passwordgenerate(10), PASSWORD_DEFAULT), $ui->ismail("$virtualserver_id-email", 'post'), $reseller_id));
$query = $sql->prepare("SELECT `id` FROM `userdata` WHERE `cname`=? AND `mail`=? AND `resellerid`=? ORDER BY `id` DESC LIMIT 1");
$query->execute(array($ui->username("$virtualserver_id-username",50, 'post'), $ui->ismail("$virtualserver_id-email", 'post'), $reseller_id));

7
web/stuff/voice_tsdns.php
View File

@ -1,4 +1,5 @@
<?php
/**
* File: voice_tsdns.php.
* Author: Ulrich Block
@ -43,6 +44,7 @@ if ((!isset($admin_id) or $main!=1) or (isset($admin_id) and !$pa['voiceserver']
}
include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/stuff/class_voice.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
$sprache = getlanguagefile('voice',$user_language,$reseller_id);
$loguserid = $admin_id;
@ -299,11 +301,8 @@ if ($ui->w('action', 4, 'post') and !token(true)) {
$cnamenew = $ui->username("${lookUp}-username",50, 'post');
}
if ($usernew == true) {
$initialpassword=passwordgenerate(10);
$salt=md5(mt_rand().date('Y-m-d H:i:s:u'));
$security=createHash($ui->username("${lookUp}-username",50, 'post'),$initialpassword,$salt,$aeskey);
$query = $sql->prepare("INSERT INTO `userdata` (`cname`,`security`,`mail`,`accounttype`,`resellerid`) VALUES (?,?,?,'u',?)");
$query->execute(array($ui->username("${lookUp}-username",50, 'post'),$security,$ui->ismail("${lookUp}-email", 'post'),$reseller_id));
$query->execute(array($ui->username("${lookUp}-username",50, 'post'),password_hash(passwordgenerate(10), PASSWORD_DEFAULT),$ui->ismail("${lookUp}-email", 'post'),$reseller_id));
$query = $sql->prepare("SELECT `id` FROM `userdata` WHERE `cname`=? AND `mail`=? AND `resellerid`=? ORDER BY `id` DESC LIMIT 1");
$query->execute(array($ui->username("${lookUp}-username",50, 'post'),$ui->ismail("${lookUp}-email", 'post'),$reseller_id));
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {

4
web/template/default/page_header.tpl
View File

@ -140,8 +140,8 @@
<?php if($page_data->lendactive=='Y'){ ?>
<li class="nav-header"><?php echo $page_data->pages['lendserver']['linkname'];?></li>
<li <?php if($s=='lendserver' and !isset($servertype)) echo 'class="active"';?>><?php echo $page_data->pages['lendserver']['href'];?></li>
<li <?php if(isset($servertype) and $servertype=='v') echo 'class="active"';?>><?php echo $page_data->pages['lendservervoice']['href'];?></li>
<li <?php if(isset($servertype) and $servertype=='g') echo 'class="active"';?>><?php echo $page_data->pages['lendservergs']['href'];?></li>
<?php if (isset($page_data->pages['lendservervoice'])) { ?><li <?php if(isset($servertype) and $servertype=='v') echo 'class="active"';?>><?php echo $page_data->pages['lendservervoice']['href'];?></li><?php } ?>
<?php if (isset($page_data->pages['lendservergs'])) { ?><li <?php if(isset($servertype) and $servertype=='g') echo 'class="active"';?>><?php echo $page_data->pages['lendservergs']['href'];?></li><?php } ?>
<li class="divider"></li>
<?php } ?>
<li class="nav-header"><?php echo $gsprache->pages;?></li>

219
web/third_party/password_compat/password.php vendored Normal file
View File

@ -0,0 +1,219 @@
<?php
/**
* A Compatibility library with PHP 5.5's simplified password hashing API.
*
* @author Anthony Ferrara <ircmaxell@php.net>
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @copyright 2012 The Authors
*/
if (!defined('PASSWORD_DEFAULT')) {
define('PASSWORD_BCRYPT', 1);
define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
/**
* Hash the password using the specified algorithm
*
* @param string $password The password to hash
* @param int $algo The algorithm to use (Defined by PASSWORD_* constants)
* @param array $options The options for the algorithm to use
*
* @return string|false The hashed password, or false on error.
*/
function password_hash($password, $algo, array $options = array()) {
if (!function_exists('crypt')) {
trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING);
return null;
}
if (!is_string($password)) {
trigger_error("password_hash(): Password must be a string", E_USER_WARNING);
return null;
}
if (!is_int($algo)) {
trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING);
return null;
}
switch ($algo) {
case PASSWORD_BCRYPT:
// Note that this is a C constant, but not exposed to PHP, so we don't define it here.
$cost = 10;
if (isset($options['cost'])) {
$cost = $options['cost'];
if ($cost < 4 || $cost > 31) {
trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING);
return null;
}
}
// The length of salt to generate
$raw_salt_len = 16;
// The length required in the final serialization
$required_salt_len = 22;
$hash_format = sprintf("$2y$%02d$", $cost);
break;
default:
trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING);
return null;
}
if (isset($options['salt'])) {
switch (gettype($options['salt'])) {
case 'NULL':
case 'boolean':
case 'integer':
case 'double':
case 'string':
$salt = (string) $options['salt'];
break;
case 'object':
if (method_exists($options['salt'], '__tostring')) {
$salt = (string) $options['salt'];
break;
}
case 'array':
case 'resource':
default:
trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING);
return null;
}
if (strlen($salt) < $required_salt_len) {
trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", strlen($salt), $required_salt_len), E_USER_WARNING);
return null;
} elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) {
$salt = str_replace('+', '.', base64_encode($salt));
}
} else {
$buffer = '';
$buffer_valid = false;
if (function_exists('mcrypt_create_iv') && !defined('PHALANGER')) {
$buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM);
if ($buffer) {
$buffer_valid = true;
}
}
if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) {
$buffer = openssl_random_pseudo_bytes($raw_salt_len);
if ($buffer) {
$buffer_valid = true;
}
}
if (!$buffer_valid && is_readable('/dev/urandom')) {
$f = fopen('/dev/urandom', 'r');
$read = strlen($buffer);
while ($read < $raw_salt_len) {
$buffer .= fread($f, $raw_salt_len - $read);
$read = strlen($buffer);
}
fclose($f);
if ($read >= $raw_salt_len) {
$buffer_valid = true;
}
}
if (!$buffer_valid || strlen($buffer) < $raw_salt_len) {
$bl = strlen($buffer);
for ($i = 0; $i < $raw_salt_len; $i++) {
if ($i < $bl) {
$buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));
} else {
$buffer .= chr(mt_rand(0, 255));
}
}
}
$salt = str_replace('+', '.', base64_encode($buffer));
}
$salt = substr($salt, 0, $required_salt_len);
$hash = $hash_format . $salt;
$ret = crypt($password, $hash);
if (!is_string($ret) || strlen($ret) <= 13) {
return false;
}
return $ret;
}
/**
* Get information about the password hash. Returns an array of the information
* that was used to generate the password hash.
*
* array(
* 'algo' => 1,
* 'algoName' => 'bcrypt',
* 'options' => array(
* 'cost' => 10,
* ),
* )
*
* @param string $hash The password hash to extract info from
*
* @return array The array of information about the hash.
*/
function password_get_info($hash) {
$return = array(
'algo' => 0,
'algoName' => 'unknown',
'options' => array(),
);
if (substr($hash, 0, 4) == '$2y$' && strlen($hash) == 60) {
$return['algo'] = PASSWORD_BCRYPT;
$return['algoName'] = 'bcrypt';
list($cost) = sscanf($hash, "$2y$%d$");
$return['options']['cost'] = $cost;
}
return $return;
}
/**
* Determine if the password hash needs to be rehashed according to the options provided
*
* If the answer is true, after validating the password using password_verify, rehash it.
*
* @param string $hash The hash to test
* @param int $algo The algorithm used for new password hashes
* @param array $options The options array passed to password_hash
*
* @return boolean True if the password needs to be rehashed.
*/
function password_needs_rehash($hash, $algo, array $options = array()) {
$info = password_get_info($hash);
if ($info['algo'] != $algo) {
return true;
}
switch ($algo) {
case PASSWORD_BCRYPT:
$cost = isset($options['cost']) ? $options['cost'] : 10;
if ($cost != $info['options']['cost']) {
return true;
}
break;
}
return false;
}
/**
* Verify a password against a hash using a timing attack resistant approach
*
* @param string $password The password to verify
* @param string $hash The hash to verify against
*
* @return boolean If the password matches the hash
*/
function password_verify($password, $hash) {
if (!function_exists('crypt')) {
trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING);
return false;
}
$ret = crypt($password, $hash);
if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) {
return false;
}
$status = 0;
for ($i = 0; $i < strlen($ret); $i++) {
$status |= (ord($ret[$i]) ^ ord($hash[$i]));
}
return $status === 0;
}
}