Fixes for sometimes over-hashed passwords

diff --git a/inc/autopurge/purge-mails.php b/inc/autopurge/purge-mails.php
index a2f0ade9a93c4c581c64c3848b3dcc1d1051e81d..2a2df0f17af43314fa6eb8c9a58e4196d2161f31 100644 (file)
--- a/inc/autopurge/purge-mails.php
+++ b/inc/autopurge/purge-mails.php
@@ -58,7 +58,7 @@ ORDER BY
        `sender` ASC", __FILE__, __LINE__);
 
 // Reset counter...
-$DELETED = '0';
+$deletedStats = '0';
 
 // Do we have "purged" mails?
 if (SQL_NUMROWS($result_mails) > 0) {
@@ -69,7 +69,7 @@ if (SQL_NUMROWS($result_mails) > 0) {
                        // Okay we found some mails!
                        SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM `{?_MYSQL_PREFIX?}_pool` WHERE `sender`=%s",
                                array(bigintval($content['sender'])), __FILE__, __LINE__);
-                       $DELETED += SQL_AFFECTEDROWS();
+                       $deletedStats += SQL_AFFECTEDROWS();
 
                        // Reset query (to prevent possible errors) ...;
                        $result_mails = SQL_QUERY("SELECT
@@ -106,7 +106,7 @@ if (SQL_NUMROWS($result_mails) > 0) {
                        // Okay we found some mails!
                        SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM `{?_MYSQL_PREFIX?}_user_stats` WHERE `sender`=%s",
                                array(bigintval($content['sender'])), __FILE__, __LINE__);
-                       $DELETED += SQL_AFFECTEDROWS();
+                       $deletedStats += SQL_AFFECTEDROWS();
 
                        // Reset query (to prevent possible errors) ...
                        $result_mails = SQL_QUERY("SELECT
@@ -125,9 +125,9 @@ ORDER BY
 SQL_FREERESULT($result_mails);
 
 // Do we have deleted mails and the admin want's to receive a notification
-if (($DELETED > 0) && (getConfig('ap_dm_notify') == 'Y')) {
+if (($deletedStats > 0) && (getConfig('ap_dm_notify') == 'Y')) {
        // Send out email to admin
-       sendAdminNotification(getMessage('AUTOPURGE_ADMIN_DEL_MAILS_SUBJECT'), 'admin_autopurge_del_mails', $DELETED, '');
+       sendAdminNotification(getMessage('AUTOPURGE_ADMIN_DEL_MAILS_SUBJECT'), 'admin_autopurge_del_mails', $deletedStats, '');
 } // END - if
 
 //

diff --git a/inc/autopurge/purge-tsks.php b/inc/autopurge/purge-tsks.php
index 04acbb5e0a9828344bcb2325419ea25c2164ca83..d39f7f198125cd15ef7539c2ff303694b3106414 100644 (file)
--- a/inc/autopurge/purge-tsks.php
+++ b/inc/autopurge/purge-tsks.php
@@ -48,7 +48,7 @@ if ((!isExtensionActive('autopurge')) || (getConfig('auto_purge_active') != 'Y')
 } // END - if
 
 // Check version (must be > 0.0)
-if ((getExtensionVersion('task') > '0.0') && (getConfig('autopurge_tasks') == 'Y')) {
+if ((isExtensionInstalledAndNewer('task') > '0.0') && (getConfig('autopurge_tasks') == 'Y')) {
        // Purge deleted tasks (no notification to admin)
        SQL_QUERY("DELETE LOW_PRIORITY
 FROM
@@ -57,12 +57,12 @@ WHERE
        `status`='DELETED' AND `task_created` <= (UNIX_TIMESTAMP() - {?ap_tasks_time?})", __FILE__, __LINE__);
 
        // Get deleted rows
-       $DELETED = SQL_AFFECTEDROWS();
+       $deletedTasks = SQL_AFFECTEDROWS();
 
        // Do we need to send a notification?
-       if (($DELETED > 0) && (getConfig('ap_tasks_notify') == 'Y')) {
+       if (($deletedTasks > 0) && (getConfig('ap_tasks_notify') == 'Y')) {
                // Send out email to admin
-               sendAdminNotification(getMessage('AUTOPURGE_ADMIN_TASKS_SUBJECT'), "admin_autopurge_tsks", $DELETED, '');
+               sendAdminNotification(getMessage('AUTOPURGE_ADMIN_TASKS_SUBJECT'), 'admin_autopurge_tsks', $deletedTasks, '');
        } // END - if
 } // END - if
 

diff --git a/inc/functions.php b/inc/functions.php
index 14630ab3b4f7b65fbe13eecabe7ced0c572066ee..921cda0aea979a1322e5097f2c3fc18413a9ed07 100644 (file)
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -2074,11 +2074,17 @@ function generateEmailLink ($email, $table = 'admins') {
 }
 
 // Generate a hash for extra-security for all passwords
-function generateHash ($plainText, $salt = '') {
+function generateHash ($plainText, $salt = '', $hash = true) {
        // Is the required extension 'sql_patches' there and a salt is not given?
        if (((isExtensionInstalledAndOlder('sql_patches', '0.3.6')) || (!isExtensionActive('sql_patches')) || (!isExtensionInstalledAndNewer('other', '0.2.5'))) && (empty($salt))) {
                // Extension sql_patches is missing/outdated so we hash the plain text with MD5
-               return md5($plainText);
+               if ($hash === true) {
+                       // Is plain password
+                       return md5($plainText);
+               } else {
+                       // Is already a hash
+                       return $plainText;
+               }
        } // END - if
 
        // Do we miss an arry element here?
@@ -2218,35 +2224,37 @@ function generatePassString ($passHash) {
        $ret = $passHash;
 
        // Is a secret key and master salt already initialized?
-       if ((isExtensionInstalled('sql_patches')) && (isExtensionInstalledAndNewer('other', '0.2.5')) && (isConfigEntrySet('_PRIME')) && (isConfigEntrySet('secret_key')) && (isConfigEntrySet('master_salt'))) {
+       if ((isExtensionInstalled('sql_patches')) && (isConfigEntrySet('_PRIME')) && (isConfigEntrySet('secret_key')) && (isConfigEntrySet('master_salt'))) {
                // Only calculate when the secret key is generated
+               if (strlen($passHash) != getConfig('secret_key')) {
+                       // Both keys must have same length
+                       debug_report_bug('Hash lengths do not match! (' . strlen($passHash) . '!=' . strlen(getConfig('secret_key')) . ')');
+               } // END - if
+
                $newHash = ''; $start = 9;
-               for ($idx = '0'; $idx < 10; $idx++) {
-                       $part1 = hexdec(substr($passHash, $start, 4));
-                       $part2 = hexdec(substr(getConfig('secret_key'), $start, 4));
+               //* DEBUG: */ outputHtml('passHash=' . $passHash . '(' . strlen($passHash) . ')<br />');
+               for ($idx = 0; $idx < 20; $idx++) {
+                       $part1 = hexdec(substr($passHash, ($idx * 2), 2));
+                       $part2 = hexdec(substr(getConfig('secret_key'), $start, 2));
+                       //* DEBUG: */ outputHtml('part1='.$part1.'/part2='.$part2.'<br />');
                        $mod = dechex($idx);
                        if ($part1 > $part2) {
                                $mod = dechex(sqrt(($part1 - $part2) * getConfig('_PRIME') / pi()));
                        } elseif ($part2 > $part1) {
                                $mod = dechex(sqrt(($part2 - $part1) * getConfig('_PRIME') / pi()));
                        }
-                       $mod = substr($mod, 0, 4);
+                       $mod = substr($mod, 0, 2);
                        //* DEBUG: */ outputHtml('part1='.$part1.'/part2='.$part2.'/mod=' . $mod . '('.strlen($mod).')<br />');
-                       $mod = str_repeat(0, (4 - strlen($mod))) . $mod;
-                       //* DEBUG: */ outputHtml('*' . $start . '=' . $mod . '*<br />');
-                       $start += 4;
+                       $mod = str_repeat(0, (2 - strlen($mod))) . $mod;
+                       //* DEBUG: */ outputHtml('mod(' . ($idx * 2) . ')=' . $mod . '*<br />');
+                       $start += 2;
                        $newHash .= $mod;
                } // END - for
 
-               //* DEBUG: */ print($passHash.'<br />' . $newHash." (".strlen($newHash).')<br />');
+               //* DEBUG: */ print($passHash . '<br />' . $newHash . ' (' . strlen($newHash) . ')<br />');
                $ret = generateHash($newHash, getConfig('master_salt'));
-               //* DEBUG: */ print('ret='.$ret.'<br />');
-       } else {
-               // Hash it simple
-               //* DEBUG: */ outputHtml("--" . $passHash."--<br />");
-               $ret = md5($passHash);
-               //* DEBUG: */ outputHtml("++" . $ret."++<br />");
-       }
+               //* DEBUG: */ print('ret=' . $ret . '<br />');
+       } // END - if
 
        // Return result
        return $ret;

diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php
index 76499f3675ce018c631fd1f9acf8d12575b24bd4..76e4a85d13b06dd44e19b14047ad4f3b392e5a02 100644 (file)
--- a/inc/modules/admin/admin-inc.php
+++ b/inc/modules/admin/admin-inc.php
@@ -208,7 +208,7 @@ function doAdminLogin ($adminLogin, $passHash) {
 
        // Now set all session variables and return the result
        return ((
-               setSession('admin_md5', generatePassString($passHash))
+               setSession('admin_md5', generatePassString(generateHash($passHash, '', false)))
        ) && (
                setSession('admin_login', $adminLogin)
        ) && (

diff --git a/inc/mysql-manager.php b/inc/mysql-manager.php
index 30aa831a000bf40ea87d550c7444c0dc160917a1..178a027606baf27bdd64f3a4bbed171646d87a88 100644 (file)
--- a/inc/mysql-manager.php
+++ b/inc/mysql-manager.php
@@ -695,7 +695,9 @@ function fetchUserData ($userid, $column = 'userid') {
 // This patched function will reduce many SELECT queries for the specified or current admin login
 function isAdmin ($admin = '') {
        // Init variables
-       $ret = false; $passCookie = ''; $valPass = '';
+       $ret = false;
+       $passCookie = '';
+       $valPass = '';
        //* DEBUG: */ print(__FUNCTION__.':'.$admin.'<br />');
 
        // If admin login is not given take current from cookies...
@@ -724,9 +726,12 @@ function isAdmin ($admin = '') {
 
                        // Count cache hits
                        incrementStatsEntry('cache_hits');
-               } elseif ((!empty($admin)) && ((!isExtensionActive('cache'))) || (isAdminHashSet($admin) === false)) {
+               } elseif ((!empty($admin)) && ((!isExtensionActive('cache')) || (isAdminHashSet($admin) === false))) {
                        // Get admin hash and hash it
                        $valPass = generatePassString(getAdminHash($admin));
+
+                       // Cache it away
+                       $GLOBALS['admin_hash'] = $valPass;
                }
 
                if (!empty($valPass)) {