Skip to content
Snippets Groups Projects
Commit eabdde5d authored by Marius Burkard's avatar Marius Burkard
Browse files

- dont use md5 on remote users

parent dbfb249a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
interface/lib/classes/remoting.inc.php
+ 20
10
View file @ eabdde5d
......@@ -128,13 +128,23 @@ class remoting {
$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
return $remote_session;
} else {
$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
$remote_user = $app->db->queryOneRecord($sql, $username, $password);
$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
$remote_user = $app->db->queryOneRecord($sql, $username, $app->auth->crypt_password($password));
if(!$remote_user) {
// fallback to md5
$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
$remote_user = $app->db->queryOneRecord($sql, $username, md5($password));
if($remote_user) {
// update hash algo
$sql = 'UPDATE `remote_user` SET `remote_password` = ? WHERE `remote_username` = ?';
$app->db->query($sql, $app->auth->crypt_password($password), $username);
}
}
if($remote_user['remote_userid'] > 0) {
if (trim($remote_user['remote_ips']) != '') {
$allowed_ips = explode(',',$remote_user['remote_ips']);
foreach($allowed_ips as $i => $allowed) {
if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
foreach($allowed_ips as $i => $allowed) {
if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
// get the ip for a hostname
unset($allowed_ips[$i]);
$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
......@@ -169,7 +179,7 @@ class remoting {
if(!$remote_allowed) {
throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
return false;
}
}
//* Create a remote user session
//srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco'));
......@@ -368,22 +378,22 @@ class remoting {
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
//* get old record and merge with params, so only new values have to be set in $params
$old_rec = $app->remoting_lib->getDataRecord($primary_id, $client_id);
foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf)
{
if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) {
unset($old_rec[$fieldName]);
}
}
$params = $app->functions->array_merge($old_rec,$params);
//* Get the SQL query
$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);
// throw new SoapFault('debug', $sql);
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
......@@ -546,7 +556,7 @@ class remoting {
return false;
}
}
/**
Gets a list of all servers
@param int session_id
......
interface/web/admin/form/remote_user.tform.php
+ 5
5
View file @ eabdde5d
......@@ -109,7 +109,7 @@ $form["tabs"]['remote_user'] = array (
'errmsg' => 'weak_password_txt'
)
),
'encryption' => 'MD5',
'encryption' => 'CRYPT',
'default' => '',
'value' => '',
'width' => '30',
......@@ -124,11 +124,11 @@ $form["tabs"]['remote_user'] = array (
'remote_ips' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXT',
'validators' => array (
'validators' => array (
0 => array (
'type' => 'CUSTOM',
'class' => 'validate_remote_user',
'function' => 'valid_remote_ip',
'type' => 'CUSTOM',
'class' => 'validate_remote_user',
'function' => 'valid_remote_ip',
'errmsg' => 'remote_user_error_ips'),
),
'default' => '',
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment