From 7bd37c5b061cdea2f987a40ab455c86bc69b7df2 Mon Sep 17 00:00:00 2001 From: Tom Laermans Date: Sat, 19 Mar 2011 20:23:23 +0000 Subject: [PATCH] change from unsalted md5 to salted md5 passwords, migrating passwords as authentication succeeds git-svn-id: http://www.observium.org/svn/observer/trunk@1936 61d68cd4-352d-0410-923a-c4978735b2b8 --- database-update.sql | 1 + html/includes/authentication/mysql.inc.php | 45 ++++++++++++++++++---- includes/polling/ucd-mib.inc.php | 3 +- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/database-update.sql b/database-update.sql index ffe4ce810..cbdab6db8 100644 --- a/database-update.sql +++ b/database-update.sql @@ -22,3 +22,4 @@ ALTER TABLE ports MODIFY port_descr_circuit VARCHAR(255); ALTER TABLE ports MODIFY port_descr_descr VARCHAR(255); ALTER TABLE ports MODIFY port_descr_notes VARCHAR(255); ALTER TABLE devices MODIFY community VARCHAR(255); +ALTER TABLE users MODIFY password VARCHAR(34); diff --git a/html/includes/authentication/mysql.inc.php b/html/includes/authentication/mysql.inc.php index a145919de..4d1ee77e2 100644 --- a/html/includes/authentication/mysql.inc.php +++ b/html/includes/authentication/mysql.inc.php @@ -2,13 +2,22 @@ function authenticate($username,$password) { - $encrypted = md5($password); - $sql = "SELECT username FROM `users` WHERE `username`='".$username."' AND `password`='".$encrypted."'"; + $encrypted_old = md5($password); + $sql = "SELECT username,password FROM `users` WHERE `username`='".$username."'"; $query = mysql_query($sql); - $row = @mysql_fetch_array($query); + $row = @mysql_fetch_assoc($query); if ($row['username'] && $row['username'] == $username) { - return 1; + // Migrate from old, unhashed password + if ($row['password'] == $encrypted_old) + { + changepassword($username,$password); + return 1; + } + if ($row['password'] == crypt($password,$row['password'])) + { + return 1; + } } return 0; } @@ -18,9 +27,30 @@ function passwordscanchange() return 1; } +/** + * From: http://code.activestate.com/recipes/576894-generate-a-salt/ + * This function generates a password salt as a string of x (default = 15) characters + * ranging from a-zA-Z0-9. + * @param $max integer The number of characters in the string + * @author AfroSoft + */ +function generateSalt($max = 15) +{ + $characterList = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + $i = 0; + $salt = ""; + do + { + $salt .= $characterList{mt_rand(0,strlen($characterList))}; + $i++; + } while ($i <= $max); + + return $salt; +} + function changepassword($username,$password) { - $encrypted = md5($password); + $encrypted = crypt($password,'$1$' . generateSalt(8).'$'); $sql = "UPDATE `users` SET `password` = '$encrypted' WHERE `username`='".$username."'"; $query = mysql_query($sql); } @@ -34,7 +64,8 @@ function adduser($username, $password, $level, $email = "", $realname = "") { if (!user_exists($username)) { - mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`) VALUES ('".mres($username)."',MD5('".mres($password)."'),'".mres($level)."','".mres($email)."','".mres($realname)."')"); + $encrypted = crypt($password,'$1$' . generateSalt(8).'$'); + mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`) VALUES ('".mres($username)."','".mres($encrypted)."','".mres($level)."','".mres($email)."','".mres($realname)."')"); } return mysql_affected_rows(); @@ -42,7 +73,7 @@ function adduser($username, $password, $level, $email = "", $realname = "") function user_exists($username) { - return mysql_result(mysql_query("SELECT * FROM users WHERE username = '".mres($username)."'"),0); + return @mysql_result(mysql_query("SELECT * FROM users WHERE username = '".mres($username)."'"),0); } function get_userlevel($username) diff --git a/includes/polling/ucd-mib.inc.php b/includes/polling/ucd-mib.inc.php index cad8826b9..7c84140c9 100755 --- a/includes/polling/ucd-mib.inc.php +++ b/includes/polling/ucd-mib.inc.php @@ -124,7 +124,8 @@ $mem_rrd_create = " --step 300 \ RRA:MAX:0.5:288:800"; $snmpdata = snmp_get_multi($device, "memTotalSwap.0 memAvailSwap.0 memTotalReal.0 memAvailReal.0 memTotalFree.0 memShared.0 memBuffer.0 memCached.0", "-OQUs", "UCD-SNMP-MIB"); -if (is_array($snmpdata[0])) { +if (is_array($snmpdata[0])) +{ list($memTotalSwap, $memAvailSwap, $memTotalReal, $memAvailReal, $memTotalFree, $memShared, $memBuffer, $memCached) = $snmpdata[0]; foreach (array_keys($snmpdata[0]) as $key) { $$key = $snmpdata[0][$key]; } }