jeena/jlog
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

solving issues/2 by replacing md5() with hashPassword() in scripts/general.func.php

Browse source
This commit is contained in:
RobbBienert 2013-10-18 01:36:50 +02:00
parent f0b6325af8
commit 7b8a66c1d4
4 changed files with 15 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
admin/login.php
View file

@ -31,7 +31,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' AND $dispatch_login) {
die('Somebody tried to hack Jlog with Response-Splitting.'); die('Somebody tried to hack Jlog with Response-Splitting.');
} }
if (md5($passwort) == JLOG_ADMIN_PASSWORD) { if (hashPassword($passwort) == JLOG_ADMIN_PASSWORD) {
$_SESSION['logged_in'] = true; $_SESSION['logged_in'] = true;
session_regenerate_id(); // neue SID session_regenerate_id(); // neue SID

2
scripts/JlogUpdater.php
View file

@ -59,7 +59,7 @@ class JlogUpdater
function performUpdate($l) function performUpdate($l)
{ {
if (JLOG_AMDIN_PASSWORD !== md5($_POST['jlog_password']) and JLOG_ADMIN_PASSWORD !== md5(utf8_decode($_POST['jlog_password']))) { if (JLOG_AMDIN_PASSWORD !== hashPassword($_POST['jlog_password']) and JLOG_ADMIN_PASSWORD !== hashPassword(utf8_decode($_POST['jlog_password']))) {
return '<p>' . $l['admin']['login_false_pw'] . '</p>'; return '<p>' . $l['admin']['login_false_pw'] . '</p>';
} }

7
scripts/general.func.php
View file

@ -310,4 +310,9 @@ class JLOG_Tags {
else return; else return;
} }
} }
?>
// security functions
function hashPassword($pw) {
// TODO: see iusses/2 for details
return md5($pw);
}

10
scripts/settings.class.php
View file

@ -165,8 +165,8 @@ class Settings {
$this->jlog_admin_password = JLOG_ADMIN_PASSWORD; $this->jlog_admin_password = JLOG_ADMIN_PASSWORD;
} }
else { else {
$this->d['jlog_admin_password'] = md5($this->d['jlog_admin_password']); $this->d['jlog_admin_password'] = hashPassword($this->d['jlog_admin_password']);
$this->d['jlog_admin_password_again'] = md5($this->d['jlog_admin_password_again']); $this->d['jlog_admin_password_again'] = hashPassword($this->d['jlog_admin_password_again']);
} }
$this->d['jlog_installed_version'] = JLOG_INSTALLED_VERSION; $this->d['jlog_installed_version'] = JLOG_INSTALLED_VERSION;
$this->d['jlog_installed_url'] = JLOG_INSTALLED_URL; $this->d['jlog_installed_url'] = JLOG_INSTALLED_URL;
@ -174,8 +174,8 @@ class Settings {
$this->d['jlog_installed_mysqlv'] = JLOG_INSTALLED_MYSQLV; $this->d['jlog_installed_mysqlv'] = JLOG_INSTALLED_MYSQLV;
} }
else { else {
$this->d['jlog_admin_password'] = md5($this->d['jlog_admin_password']); $this->d['jlog_admin_password'] = hashPassword($this->d['jlog_admin_password']);
$this->d['jlog_admin_password_again'] = md5($this->d['jlog_admin_password_again']); $this->d['jlog_admin_password_again'] = hashPassword($this->d['jlog_admin_password_again']);
} }
if((defined('JLOG_SETUP') AND JLOG_SETUP === true)) if((defined('JLOG_SETUP') AND JLOG_SETUP === true))
@ -408,7 +408,7 @@ class Settings {
if(empty($this->d['jlog_website'])) $errors[] = $this->l['admin']['e_website']; if(empty($this->d['jlog_website'])) $errors[] = $this->l['admin']['e_website'];
if(empty($this->d['jlog_publisher'])) $errors[] = $this->l['admin']['e_publisher']; if(empty($this->d['jlog_publisher'])) $errors[] = $this->l['admin']['e_publisher'];
if(defined('JLOG_SETUP') AND JLOG_SETUP) { if(defined('JLOG_SETUP') AND JLOG_SETUP) {
if($this->d['jlog_admin_password'] == md5("")) if($this->d['jlog_admin_password'] == hashPassword(""))
$errors[] = $this->l['admin']['e_admin_password']; $errors[] = $this->l['admin']['e_admin_password'];
elseif($this->d['jlog_admin_password'] !== $this->d['jlog_admin_password_again']) elseif($this->d['jlog_admin_password'] !== $this->d['jlog_admin_password_again'])
$errors[] = $this->l['admin']['e_admin_password_again']; $errors[] = $this->l['admin']['e_admin_password_again'];