@@ -29,6 +29,11 @@ function mkhash($username, $password, $salt = false) { | |||
return $hash; | |||
} | |||
function generate_salt() { | |||
mt_srand(microtime(true) * 100000 + memory_get_usage(true)); | |||
return md5(uniqid(mt_rand(), true)); | |||
} | |||
function login($username, $password, $makehash=true) { | |||
global $mod; | |||
@@ -37,20 +42,23 @@ function login($username, $password, $makehash=true) { | |||
$password = sha1($password); | |||
} | |||
$query = prepare("SELECT `id`,`type`,`boards` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1"); | |||
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM `mods` WHERE `username` = :username"); | |||
$query->bindValue(':username', $username); | |||
$query->bindValue(':password', $password); | |||
$query->execute() or error(db_error($query)); | |||
if ($user = $query->fetch()) { | |||
return $mod = array( | |||
'id' => $user['id'], | |||
'type' => $user['type'], | |||
'username' => $username, | |||
'hash' => mkhash($username, $password), | |||
'boards' => explode(',', $user['boards']) | |||
); | |||
} else return false; | |||
if ($user = $query->fetch(PDO::FETCH_ASSOC)) { | |||
if ($user['password'] === hash('sha256', $user['salt'] . $password)) { | |||
return $mod = array( | |||
'id' => $user['id'], | |||
'type' => $user['type'], | |||
'username' => $username, | |||
'hash' => mkhash($username, $user['password']), | |||
'boards' => explode(',', $user['boards']) | |||
); | |||
} | |||
} | |||
return false; | |||
} | |||
function setCookies() { | |||
@@ -104,10 +112,10 @@ if (isset($_COOKIE[$config['cookies']['mod']])) { | |||
exit; | |||
} | |||
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1"); | |||
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username"); | |||
$query->bindValue(':username', $cookie[0]); | |||
$query->execute() or error(db_error($query)); | |||
$user = $query->fetch(); | |||
$user = $query->fetch(PDO::FETCH_ASSOC); | |||
// validate password hash | |||
if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { | |||
@@ -1407,9 +1407,13 @@ function mod_user($uid) { | |||
} | |||
if ($_POST['password'] != '') { | |||
$query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id'); | |||
$salt = generate_salt(); | |||
$password = hash('sha256', $salt . sha1($_POST['password'])); | |||
$query = prepare('UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); | |||
$query->bindValue(':id', $uid); | |||
$query->bindValue(':password', $_POST['password']); | |||
$query->bindValue(':password', $password); | |||
$query->bindValue(':salt', $salt); | |||
$query->execute() or error(db_error($query)); | |||
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>'); | |||
@@ -1430,9 +1434,13 @@ function mod_user($uid) { | |||
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) { | |||
if ($_POST['password'] != '') { | |||
$query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id'); | |||
$salt = generate_salt(); | |||
$password = hash('sha256', $salt . sha1($_POST['password'])); | |||
$query = prepare('UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); | |||
$query->bindValue(':id', $uid); | |||
$query->bindValue(':password', $_POST['password']); | |||
$query->bindValue(':password', $password); | |||
$query->bindValue(':salt', $salt); | |||
$query->execute() or error(db_error($query)); | |||
modLog('Changed own password'); | |||
@@ -1494,9 +1502,13 @@ function mod_user_new() { | |||
if ($_POST['type'] !== JANITOR && $_POST['type'] !== MOD && $_POST['type'] !== ADMIN) | |||
error(sprintf($config['error']['invalidfield'], 'type')); | |||
$query = prepare('INSERT INTO `mods` VALUES (NULL, :username, SHA1(:password), :type, :boards)'); | |||
$salt = generate_salt(); | |||
$password = hash('sha256', $salt . sha1($_POST['password'])); | |||
$query = prepare('INSERT INTO `mods` VALUES (NULL, :username, :password, :salt, :type, :boards)'); | |||
$query->bindValue(':username', $_POST['username']); | |||
$query->bindValue(':password', $_POST['password']); | |||
$query->bindValue(':password', $password); | |||
$query->bindValue(':salt', $salt); | |||
$query->bindValue(':type', $_POST['type']); | |||
$query->bindValue(':boards', implode(',', $boards)); | |||
$query->execute() or error(db_error($query)); | |||
@@ -1,7 +1,7 @@ | |||
<?php | |||
// Installation/upgrade file | |||
define('VERSION', 'v0.9.6-dev-8'); | |||
define('VERSION', 'v0.9.6-dev-9'); | |||
require 'inc/functions.php'; | |||
@@ -229,6 +229,25 @@ if (file_exists($config['has_installed'])) { | |||
} | |||
case 'v0.9.6-dev-7': | |||
query("ALTER TABLE `bans` ADD `seen` BOOLEAN NOT NULL") or error(db_error()); | |||
case 'v0.9.6-dev-8': | |||
query("ALTER TABLE `mods` CHANGE `password` `password` CHAR( 64 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT 'SHA256'") or error(db_error()); | |||
query("ALTER TABLE `mods` ADD `salt` CHAR( 32 ) NOT NULL AFTER `password`") or error(db_error()); | |||
$query = query("SELECT `id`,`password` FROM `mods`") or error(db_error()); | |||
while ($user = $query->fetch(PDO::FETCH_ASSOC)) { | |||
if (strlen($user['password']) == 40) { | |||
mt_srand(microtime(true) * 100000 + memory_get_usage(true)); | |||
$salt = md5(uniqid(mt_rand(), true)); | |||
$user['salt'] = $salt; | |||
$user['password'] = hash('sha256', $user['salt'] . $user['password']); | |||
$_query = prepare("UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id"); | |||
$_query->bindValue(':username', $user['id']); | |||
$_query->bindValue(':password', $user['password']); | |||
$_query->bindValue(':salt', $user['salt']); | |||
$_query->execute() or error(db_error($_query)); | |||
} | |||
} | |||
case false: | |||
// Update version number | |||
file_write($config['has_installed'], VERSION); | |||
@@ -129,9 +129,10 @@ CREATE TABLE IF NOT EXISTS `modlogs` ( | |||
-- | |||
CREATE TABLE IF NOT EXISTS `mods` ( | |||
`id` smallint(6) UNSIGNED NOT NULL AUTO_INCREMENT, | |||
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, | |||
`username` varchar(30) NOT NULL, | |||
`password` char(40) NOT NULL COMMENT 'SHA1', | |||
`password` char(64) NOT NULL COMMENT 'SHA256', | |||
`salt` char(32) NOT NULL, | |||
`type` smallint(1) NOT NULL COMMENT '0: janitor, 1: mod, 2: admin', | |||
`boards` text NOT NULL, | |||
PRIMARY KEY (`id`), | |||
@@ -143,7 +144,7 @@ CREATE TABLE IF NOT EXISTS `mods` ( | |||
-- | |||
INSERT INTO `mods` (`id`, `username`, `password`, `type`, `boards`) VALUES | |||
(1, 'admin', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', 2, '*'); | |||
(1, 'admin', 'cedad442efeef7112fed0f50b011b2b9bf83f6898082f995f69dd7865ca19fb7', '4a44c6c55df862ae901b413feecb0d49', 2, '*'); | |||
-- -------------------------------------------------------- | |||