solving issues/2 by replacing md5() with hashPassword() in scripts/general.func.php

2013-10-18 01:36:50 +02:00 · 2013-10-18 01:36:50 +02:00 · 7b8a66c1d4
commit 7b8a66c1d4
parent f0b6325af8
4 changed files with 15 additions and 10 deletions
--- a/admin/login.php
+++ b/admin/login.php
@ -31,7 +31,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' AND $dispatch_login) {
 	    die('Somebody tried to hack Jlog with Response-Splitting.');
 	}
 	
-	if (md5($passwort) == JLOG_ADMIN_PASSWORD) {
+	if (hashPassword($passwort) == JLOG_ADMIN_PASSWORD) {
        $_SESSION['logged_in'] = true;
 		session_regenerate_id();	// neue SID
    	
--- a/scripts/JlogUpdater.php
+++ b/scripts/JlogUpdater.php
@ -59,7 +59,7 @@ class JlogUpdater
    
    function performUpdate($l) 
    {
-        if (JLOG_AMDIN_PASSWORD !== md5($_POST['jlog_password']) and JLOG_ADMIN_PASSWORD !== md5(utf8_decode($_POST['jlog_password']))) {
+        if (JLOG_AMDIN_PASSWORD !== hashPassword($_POST['jlog_password']) and JLOG_ADMIN_PASSWORD !== hashPassword(utf8_decode($_POST['jlog_password']))) {
            return '<p>' . $l['admin']['login_false_pw'] . '</p>';
        }
        
@ -146,4 +146,4 @@ class JlogUpdater
    }
 }

-// eof
+// eof
--- a/scripts/general.func.php
+++ b/scripts/general.func.php
@ -310,4 +310,9 @@ class JLOG_Tags {
          else return;
      }
 }
-?>
+
+// security functions
+function hashPassword($pw) {
+	// TODO: see iusses/2 for details
+	return md5($pw);
+}
--- a/scripts/settings.class.php
+++ b/scripts/settings.class.php
@ -165,8 +165,8 @@ class Settings {
                $this->jlog_admin_password = JLOG_ADMIN_PASSWORD;
            }
            else {
-                $this->d['jlog_admin_password'] = md5($this->d['jlog_admin_password']);
-                $this->d['jlog_admin_password_again'] = md5($this->d['jlog_admin_password_again']);
+                $this->d['jlog_admin_password'] = hashPassword($this->d['jlog_admin_password']);
+                $this->d['jlog_admin_password_again'] = hashPassword($this->d['jlog_admin_password_again']);
            }
            $this->d['jlog_installed_version'] = JLOG_INSTALLED_VERSION;
            $this->d['jlog_installed_url'] = JLOG_INSTALLED_URL;
@ -174,8 +174,8 @@ class Settings {
            $this->d['jlog_installed_mysqlv'] = JLOG_INSTALLED_MYSQLV;
        }
        else {
-            $this->d['jlog_admin_password'] = md5($this->d['jlog_admin_password']);
-            $this->d['jlog_admin_password_again'] = md5($this->d['jlog_admin_password_again']);
+            $this->d['jlog_admin_password'] = hashPassword($this->d['jlog_admin_password']);
+            $this->d['jlog_admin_password_again'] = hashPassword($this->d['jlog_admin_password_again']);
        }
        
        if((defined('JLOG_SETUP') AND JLOG_SETUP === true)) 
@ -408,7 +408,7 @@ class Settings {
        if(empty($this->d['jlog_website'])) $errors[] = $this->l['admin']['e_website'];
        if(empty($this->d['jlog_publisher'])) $errors[] = $this->l['admin']['e_publisher'];
        if(defined('JLOG_SETUP') AND JLOG_SETUP) {
-          if($this->d['jlog_admin_password'] == md5(""))
+          if($this->d['jlog_admin_password'] == hashPassword(""))
          $errors[] = $this->l['admin']['e_admin_password'];
          elseif($this->d['jlog_admin_password'] !== $this->d['jlog_admin_password_again'])
          $errors[] = $this->l['admin']['e_admin_password_again'];
@ -530,4 +530,4 @@ class Settings {
    }
 }

-// eof
+// eof