From eabdde5dcb8d13c2b9ffb269eb6b85b55f1031d6 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Mon, 4 Jan 2021 11:41:34 +0100
Subject: [PATCH] - dont use md5 on remote users
---
interface/lib/classes/remoting.inc.php | 30 ++++++++++++-------
.../web/admin/form/remote_user.tform.php | 10 +++----
2 files changed, 25 insertions(+), 15 deletions(-)
diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php
index 751edcf024..f3b597830b 100644
--- a/interface/lib/classes/remoting.inc.php
+++ b/interface/lib/classes/remoting.inc.php
@@ -128,13 +128,23 @@ class remoting {
$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
return $remote_session;
} else {
- $sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
- $remote_user = $app->db->queryOneRecord($sql, $username, $password);
+ $sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
+ $remote_user = $app->db->queryOneRecord($sql, $username, $app->auth->crypt_password($password));
+ if(!$remote_user) {
+ // fallback to md5
+ $sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
+ $remote_user = $app->db->queryOneRecord($sql, $username, md5($password));
+ if($remote_user) {
+ // update hash algo
+ $sql = 'UPDATE `remote_user` SET `remote_password` = ? WHERE `remote_username` = ?';
+ $app->db->query($sql, $app->auth->crypt_password($password), $username);
+ }
+ }
if($remote_user['remote_userid'] > 0) {
if (trim($remote_user['remote_ips']) != '') {
$allowed_ips = explode(',',$remote_user['remote_ips']);
- foreach($allowed_ips as $i => $allowed) {
- if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
+ foreach($allowed_ips as $i => $allowed) {
+ if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
// get the ip for a hostname
unset($allowed_ips[$i]);
$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
@@ -169,7 +179,7 @@ class remoting {
if(!$remote_allowed) {
throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
return false;
- }
+ }
//* Create a remote user session
//srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco'));
@@ -368,22 +378,22 @@ class remoting {
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
-
+
//* get old record and merge with params, so only new values have to be set in $params
$old_rec = $app->remoting_lib->getDataRecord($primary_id, $client_id);
-
+
foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf)
{
if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) {
unset($old_rec[$fieldName]);
}
}
-
+
$params = $app->functions->array_merge($old_rec,$params);
//* Get the SQL query
$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);
-
+
// throw new SoapFault('debug', $sql);
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
@@ -546,7 +556,7 @@ class remoting {
return false;
}
}
-
+
/**
Gets a list of all servers
@param int session_id
diff --git a/interface/web/admin/form/remote_user.tform.php b/interface/web/admin/form/remote_user.tform.php
index 6e351730c2..0a8595f1b8 100644
--- a/interface/web/admin/form/remote_user.tform.php
+++ b/interface/web/admin/form/remote_user.tform.php
@@ -109,7 +109,7 @@ $form["tabs"]['remote_user'] = array (
'errmsg' => 'weak_password_txt'
)
),
- 'encryption' => 'MD5',
+ 'encryption' => 'CRYPT',
'default' => '',
'value' => '',
'width' => '30',
@@ -124,11 +124,11 @@ $form["tabs"]['remote_user'] = array (
'remote_ips' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXT',
- 'validators' => array (
+ 'validators' => array (
0 => array (
- 'type' => 'CUSTOM',
- 'class' => 'validate_remote_user',
- 'function' => 'valid_remote_ip',
+ 'type' => 'CUSTOM',
+ 'class' => 'validate_remote_user',
+ 'function' => 'valid_remote_ip',
'errmsg' => 'remote_user_error_ips'),
),
'default' => '',
--
GitLab