From 4ea10b5a5bb8c255456ac2eeced9447ae7bbda55 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Thu, 15 Dec 2022 13:24:51 +0100 Subject: [PATCH 1/5] changed user password hashing --- pandora_console/extras/mr/60.sql | 2 ++ pandora_console/include/auth/mysql.php | 20 +++++++++++++------- pandora_console/pandoradb.sql | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/pandora_console/extras/mr/60.sql b/pandora_console/extras/mr/60.sql index 638c4b3031..622e73c173 100644 --- a/pandora_console/extras/mr/60.sql +++ b/pandora_console/extras/mr/60.sql @@ -8,4 +8,6 @@ ALTER TABLE `tagent_custom_fields` ADD `is_link_enabled` TINYINT(1) NOT NULL DEF ALTER TABLE `tevent_filter` ADD COLUMN `owner_user` TEXT; ALTER TABLE `tevent_filter` ADD COLUMN `not_search` INT NOT NULL DEFAULT 0; +ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(60) DEFAULT NULL; + COMMIT; diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index 8725f0f819..8d222a2504 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -213,10 +213,16 @@ function process_user_login_local($login, $pass, $api=false) $row = db_get_row_sql($sql); - // Check that row exists, that password is not empty and that password is the same hash - if ($row !== false && $row['password'] !== md5('') - && $row['password'] == md5($pass) - ) { + // Perform password check whether it is MD5-hashed (old hashing) or Bcrypt-hashed. + if (strlen($row['password']) === 32) { + // MD5. + $credentials_check = $row !== false && $row['password'] !== md5('') && $row['password'] == md5($pass); + } else { + // Bcrypt. + $credentials_check = password_verify($pass, $row['password']); + } + + if ($credentials_check === true) { // Login OK // Nick could be uppercase or lowercase (select in MySQL // is not case sensitive) @@ -656,7 +662,7 @@ function create_user($id_user, $password, $user_info) { $values = $user_info; $values['id_user'] = $id_user; - $values['password'] = md5($password); + $values['password'] = password_hash($password, PASSWORD_BCRYPT); $values['last_connect'] = 0; $values['registered'] = get_system_time(); @@ -766,7 +772,7 @@ function update_user_password(string $user, string $password_new) if (isset($config['auth']) === true && $config['auth'] === 'pandora') { $sql = sprintf( - "UPDATE tusuario SET password = '".md5($password_new)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'" + "UPDATE tusuario SET password = '".password_hash($password_new, PASSWORD_BCRYPT)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'" ); $connection = mysql_connect_db( @@ -786,7 +792,7 @@ function update_user_password(string $user, string $password_new) return db_process_sql_update( 'tusuario', [ - 'password' => md5($password_new), + 'password' => password_hash($password_new, PASSWORD_BCRYPT), 'last_pass_change' => date('Y/m/d H:i:s', get_system_time()), ], ['id_user' => $user] diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index f135db927e..c9f77702c0 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -1275,7 +1275,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` ( `firstname` VARCHAR(255) NOT NULL, `lastname` VARCHAR(255) NOT NULL, `middlename` VARCHAR(255) NOT NULL, - `password` VARCHAR(45) DEFAULT NULL, + `password` VARCHAR(60) DEFAULT NULL, `comments` VARCHAR(200) DEFAULT NULL, `last_connect` BIGINT NOT NULL DEFAULT 0, `registered` BIGINT NOT NULL DEFAULT 0, From 7e507d454ba0a149699546fece77b2c9916ce867 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Fri, 16 Dec 2022 12:12:11 +0100 Subject: [PATCH 2/5] change password field length --- pandora_console/extras/mr/60.sql | 2 +- pandora_console/pandoradb.sql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_console/extras/mr/60.sql b/pandora_console/extras/mr/60.sql index 622e73c173..73948ea8d8 100644 --- a/pandora_console/extras/mr/60.sql +++ b/pandora_console/extras/mr/60.sql @@ -8,6 +8,6 @@ ALTER TABLE `tagent_custom_fields` ADD `is_link_enabled` TINYINT(1) NOT NULL DEF ALTER TABLE `tevent_filter` ADD COLUMN `owner_user` TEXT; ALTER TABLE `tevent_filter` ADD COLUMN `not_search` INT NOT NULL DEFAULT 0; -ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(60) DEFAULT NULL; +ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(72) DEFAULT NULL; COMMIT; diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index c9f77702c0..c16b075c4b 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -1275,7 +1275,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` ( `firstname` VARCHAR(255) NOT NULL, `lastname` VARCHAR(255) NOT NULL, `middlename` VARCHAR(255) NOT NULL, - `password` VARCHAR(60) DEFAULT NULL, + `password` VARCHAR(72) DEFAULT NULL, `comments` VARCHAR(200) DEFAULT NULL, `last_connect` BIGINT NOT NULL DEFAULT 0, `registered` BIGINT NOT NULL DEFAULT 0, From bd7480a1e1c0a4cbc7732a78aba21e318893231c Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Tue, 20 Dec 2022 12:22:43 +0100 Subject: [PATCH 3/5] bcrypt implementation --- pandora_console/include/auth/mysql.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index 8d222a2504..618696069b 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -237,6 +237,11 @@ function process_user_login_local($login, $pass, $api=false) return false; } + // Override password to use Bcrypt encryption. + if (strlen($row['password']) === 32) { + update_user_password($login, $pass); + } + return $row['id_user']; } else { if (!user_can_login($login)) { @@ -753,7 +758,7 @@ function delete_user(string $id_user) /** - * Update the password in MD5 for user pass as id_user with + * Update the password using BCRYPT algorithm for specific id_user passing * password in plain text. * * @param string $user User ID. @@ -1056,7 +1061,7 @@ function create_user_and_permisions_ldap( $values['id_user'] = $id_user; if ($config['ldap_save_password'] || $config['ad_save_password']) { - $values['password'] = md5($password); + $values['password'] = password_hash($password, PASSWORD_BCRYPT); } $values['last_connect'] = 0; @@ -1488,9 +1493,9 @@ function change_local_user_pass_ldap($id_user, $password) $local_user_pass = db_get_value_filter('password', 'tusuario', ['id_user' => $id_user]); $return = false; - if (md5($password) !== $local_user_pass) { + if (password_hash($password, PASSWORD_BCRYPT) !== $local_user_pass) { $values_update = []; - $values_update['password'] = md5($password); + $values_update['password'] = password_hash($password, PASSWORD_BCRYPT); $return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]); } From 22b63222c9aab67b0533f60c341238d0ddcd1b4d Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Tue, 20 Dec 2022 12:27:58 +0100 Subject: [PATCH 4/5] bcrypt implementation --- pandora_console/extras/mr/60.sql | 2 +- pandora_console/pandoradb.sql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_console/extras/mr/60.sql b/pandora_console/extras/mr/60.sql index 73948ea8d8..622e73c173 100644 --- a/pandora_console/extras/mr/60.sql +++ b/pandora_console/extras/mr/60.sql @@ -8,6 +8,6 @@ ALTER TABLE `tagent_custom_fields` ADD `is_link_enabled` TINYINT(1) NOT NULL DEF ALTER TABLE `tevent_filter` ADD COLUMN `owner_user` TEXT; ALTER TABLE `tevent_filter` ADD COLUMN `not_search` INT NOT NULL DEFAULT 0; -ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(72) DEFAULT NULL; +ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(60) DEFAULT NULL; COMMIT; diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index c16b075c4b..c9f77702c0 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -1275,7 +1275,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` ( `firstname` VARCHAR(255) NOT NULL, `lastname` VARCHAR(255) NOT NULL, `middlename` VARCHAR(255) NOT NULL, - `password` VARCHAR(72) DEFAULT NULL, + `password` VARCHAR(60) DEFAULT NULL, `comments` VARCHAR(200) DEFAULT NULL, `last_connect` BIGINT NOT NULL DEFAULT 0, `registered` BIGINT NOT NULL DEFAULT 0, From 90e5205b168d97267890fb2038ab747b452d92c1 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Tue, 20 Dec 2022 13:41:25 +0100 Subject: [PATCH 5/5] changed admin pass encryption --- pandora_console/pandoradb_data.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pandora_console/pandoradb_data.sql b/pandora_console/pandoradb_data.sql index 8e00936d8a..3534609c3c 100644 --- a/pandora_console/pandoradb_data.sql +++ b/pandora_console/pandoradb_data.sql @@ -345,7 +345,7 @@ INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `descri -- Dumping data for table `tusuario` -- INSERT INTO `tusuario` (`id_user`, `fullname`, `firstname`, `lastname`, `middlename`, `password`, `comments`, `last_connect`, `registered`, `email`, `phone`, `is_admin`, `language`, `block_size`, `section`, `data_section`, `metaconsole_access`, `local_user`) VALUES -('admin', 'Pandora', 'Pandora', 'Admin', '', '1da7ee7d45b96d0e1f45ee4ee23da560', 'Admin Pandora', 1232642121, 0, 'admin@example.com', '555-555-5555', 1, 'default', 0, 'Default', '', 'advanced', 1); +('admin', 'Pandora', 'Pandora', 'Admin', '', '$2y$10$Wv/xoxjI2VAkthJhk/PzeeGIhBKYU/K.TMgUdmW7fEP2NQkdWlB9K', 'Admin Pandora', 1232642121, 0, 'admin@example.com', '555-555-5555', 1, 'default', 0, 'Default', '', 'advanced', 1); -- -- Dumping data for table `tusuario_perfil`