Results 1 to 3 of 3

Thread: Secure Password Hash Mod

  1. #1
    SMurphy
    Guest


    Default Secure Password Hash Mod

    osCmax still uses the MD5 algorithm to hash passwords which is no longer a secure method. This mod changes osCmax to use PHP's password_hash function which not only uses a secure algorithm, but will automatically update the algorithm used when PHP is updated and new algorithm is available.

    There is no need for anyone to do anything to update their passwords, this mod will simply rehash passwords when they log in. It would be a good idea for inactive account to have a password randomly generated to clear out insecure hashes after so long, but that's out of the scope of this mod.

    Installation

    Database

    We need to update the password fields to take the longer hashes. At the time of writing password_hash() generate a hash that 60 characters long, but this may change so we'll specify a length of 255 to ensure we don't mess things up if the algorithm changes.

    Code:
    ALTER TABLE `admin` CHANGE `admin_password` `admin_password` VARCHAR( 255 ) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL;
    ALTER TABLE `affiliate_affiliate` CHANGE `affiliate_password` `affiliate_password` VARCHAR( 255 ) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL;
    ALTER TABLE `customers` CHANGE `customers_password` `customers_password` VARCHAR( 255 ) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL;
    Files

    If you have an unmodified version of osCmax 2.5.4 simply download the attached file and extract them to your osCmax.

    If you have modified your install or are running a different version, then you'll need to follow the instructions below to manually install the mod.

    Open /catalog/admin/includes/functions/password_funcs.php

    Starting around line 17 find:
    PHP Code:
    // split apart the hash / salt
          
    $stack explode(':'$encrypted);

          if (
    sizeof($stack) != 2) return false;

          if (
    md5($stack[1] . $plain) == $stack[0]) {
            return 
    true;
          } 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          // If the password hash is the old style
          
    if (strlen($encrypted) == 35 && substr($encrypted321) == ':') {
    // split apart the hash / salt
            
    $stack explode(':'$encrypted);

            if (
    sizeof($stack) != 2) return false;

            if (
    md5($stack[1] . $plain) == $stack[0]) {
              return 
    'rehash';
            }
          } else {
            if (
    password_verify($plain$encrypted)) {
              if (
    password_needs_rehash($encryptedPASSWORD_DEFAULT)) {
                return 
    'rehash';
              }

              return 
    true;
            }
          }
    // EOF: Secure Password Hash Mod by SMurphy 
    Starting around line 47 find;
    PHP Code:
        for ($i=0$i<10$i++) {
          
    $password .= tep_rand();
        }

        
    $salt substr(md5($password), 02);

        
    $password md5($salt $plain) . ':' $salt
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
        
    $password password_hash($plainPASSWORD_DEFAULT);
    // EOF: Secure Password Hash Mod by SMurphy 
    Open /catalog/admin/admin_account.php

    Around line 25 find;
    PHP Code:
            if (!tep_validate_password($_POST['password_confirmation'], $check_pass['confirm_password'])) { 
    Replace with;
    PHP Code:
    // LINE EDIT: Secure Password Hash Mod by SMurphy
            
    if (tep_validate_password($_POST['password_confirmation'], $check_pass['confirm_password']) === false) { 
    Open /catalog/admin/login.php

    Around line 30 find;
    PHP Code:
          if (!tep_validate_password($password$check_admin['login_password'])) { 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          
    $password_validate_result tep_validate_password($password$check_admin['login_password']);
          if (
    $password_validate_result === false) {
    // EOF: Secure Password Hash Mod by SMurphy 
    Around line 53 find;
    PHP Code:
            tep_db_query("update " TABLE_ADMIN " set admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" $login_id "'"); 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
            
    if ($password_validate_result == 'rehash') {
              
    tep_db_query("update " TABLE_ADMIN " set admin_password = '" tep_encrypt_password($password) . "', admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" $login_id "'");
            } else {
              
    tep_db_query("update " TABLE_ADMIN " set admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" $login_id "'");
            }
    // EOF: Secure Password Hash Mod by SMurphy 
    Open /catalog/includes/functions/affiliate_functions.php

    Starting around line 82 find:
    PHP Code:
    // split apart the hash / salt
            
    $stack explode(':'$encrypted);

            if (
    sizeof($stack) != 2) return false;

            if (
    md5($stack[1] . $plain) == $stack[0]) {
              return 
    true;
            } 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
            // If the password hash is the old style
            
    if (strlen($encrypted) == 35 && substr($encrypted321) == ':') {
    // split apart the hash / salt
              
    $stack explode(':'$encrypted);

              if (
    sizeof($stack) != 2) return false;

              if (
    md5($stack[1] . $plain) == $stack[0]) {
                return 
    'rehash';
              }
            } else {
              if (
    password_verify($plain$encrypted)) {
                if (
    password_needs_rehash($encryptedPASSWORD_DEFAULT)) {
                  return 
    'rehash';
                }

                return 
    true;
              }
            }
    // EOF: Secure Password Hash Mod by SMurphy 
    Starting around line 114 find;
    PHP Code:
        for ($i=0$i<10$i++) {
          
    $password .= tep_rand();
        }

        
    $salt substr(md5($password), 02);

        
    $password md5($salt $plain) . ':' $salt
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
        
    $password password_hash($plainPASSWORD_DEFAULT);
    // EOF: Secure Password Hash Mod by SMurphy 
    Open /catalog/includes/functions/password_funcs.php

    Starting around line 18 find:
    PHP Code:
    // split apart the hash / salt
          
    $stack explode(':'$encrypted);

          if (
    sizeof($stack) != 2) return false;

          if (
    md5($stack[1] . $plain) == $stack[0]) {
            return 
    true;
          } 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          // If the password hash is the old style
          
    if (strlen($encrypted) == 35 && substr($encrypted321) == ':') {
    // split apart the hash / salt
            
    $stack explode(':'$encrypted);

            if (
    sizeof($stack) != 2) return false;

            if (
    md5($stack[1] . $plain) == $stack[0]) {
              return 
    'rehash';
            }
          } else {
            if (
    password_verify($plain$encrypted)) {
              if (
    password_needs_rehash($encryptedPASSWORD_DEFAULT)) {
                return 
    'rehash';
              }

              return 
    true;
            }
          }
    // EOF: Secure Password Hash Mod by SMurphy 
    Starting around line 48 find;
    PHP Code:
        for ($i=0$i<10$i++) {
          
    $password .= tep_rand();
        }

        
    $salt substr(md5($password), 02);

        
    $password md5($salt $plain) . ':' $salt
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
        
    $password password_hash($plainPASSWORD_DEFAULT);
    // EOF: Secure Password Hash Mod by SMurphy 
    Open /catalog/includes/classes/onepage_checkout.php

    Around line 418 find;
    PHP Code:
          if (!tep_validate_password($password$check_customer['customers_password'])) { 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          
    $password_validate_result tep_validate_password($password$check_customer['customers_password']);
          if (
    $password_validate_result === false) {
    // EOF: Secure Password Hash Mod by SMurphy 
    Around line 454 find;
    PHP Code:
            tep_db_query("update " TABLE_CUSTOMERS_INFO " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id "'"); 
    Insert the following before that line;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
            
    if ($password_validate_result == 'rehash') {
              
    tep_db_query("update " TABLE_CUSTOMERS " set customers_password = '" tep_encrypt_password($password) . "' where customers_id = '" . (int)$customer_id "'");
            }
    // EOF: Secure Password Hash Mod by SMurphy 

    Open /catalog/account_password.php

    Around line 53 find;
    PHP Code:
          if (tep_validate_password($password_current$check_customer['customers_password'])) { 
    Replace with;
    PHP Code:
    // LINE EDIT: Secure Password Hash Mod by SMurphy
          
    if (tep_validate_password($password_current$check_customer['customers_password']) !== false) { 
    Open /catalog/affiliate_affiliate.php

    Around line 34 find;
    PHP Code:
          if (!tep_validate_password($affiliate_password$check_affiliate['affiliate_password'])) { 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          
    $password_validate_result tep_validate_password($affiliate_password$check_affiliate['affiliate_password']);
          if (
    $password_validate_result === false) {
    // EOF: Secure Password Hash Mod by SMurphy 
    Around line 43 find;
    PHP Code:
            tep_db_query("update " TABLE_AFFILIATE " set affiliate_date_of_last_logon = now(), affiliate_number_of_logons = affiliate_number_of_logons + 1 where affiliate_id = '" $affiliate_id "'"); 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
            
    if ($password_validate_result == 'rehash') {
              
    tep_db_query("update " TABLE_AFFILIATE " set affiliate_password = '" tep_encrypt_password($affiliate_password) . "', affiliate_date_of_last_logon = now(), affiliate_number_of_logons = affiliate_number_of_logons + 1 where affiliate_id = '" $affiliate_id "'");
            } else {
              
    tep_db_query("update " TABLE_AFFILIATE " set affiliate_date_of_last_logon = now(), affiliate_number_of_logons = affiliate_number_of_logons + 1 where affiliate_id = '" $affiliate_id "'");
            }
    // EOF: Secure Password Hash Mod by SMurphy 
    Open /catalog/affiliate_password.php

    Around line 49 find;
    PHP Code:
          if (tep_validate_password($password_current$check_affiliate['affiliate_password'])) { 
    Replace with;
    PHP Code:
    // LINE EDIT: Secure Password Hash Mod by SMurphy
          
    if (tep_validate_password($password_current$check_affiliate['affiliate_password']) !== false) { 
    Open /catalog/login.php

    Around line 70 find;
    PHP Code:
          if (!tep_validate_password($password$check_customer['customers_password']) && !isset($_POST['action'])) { 
    Replace with;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
          
    $password_validate_result tep_validate_password($password$check_customer['customers_password']);
          if (
    $password_validate_result === false && !isset($_POST['action'])) {
    // EOF: Secure Password Hash Mod by SMurphy 
    Around line 164 find;
    PHP Code:
            tep_db_query("update " TABLE_CUSTOMERS_INFO " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id "'"); 
    Insert the following before that line;
    PHP Code:
    // BOF: Secure Password Hash Mod by SMurphy
            
    if ($password_validate_result == 'rehash') {
              
    tep_db_query("update " TABLE_CUSTOMERS " set customers_password = '" tep_encrypt_password($password) . "' where customers_id = '" . (int)$customer_id "'");
            }
    // EOF: Secure Password Hash Mod by SMurphy 
    Attached Files Attached Files

  2. #2
    osCMax Development Team

    Secure Password Hash Mod

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,124
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    96


    Thumbs up Re: Secure Password Hash Mod

    Major kudos for sharing your findings and solution.
    Thanks!

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  3. #3
    SMurphy
    Guest


    1 out of 1 members found this post helpful.

    Default Re: Secure Password Hash Mod

    The functions used by this mod require PHP 5.5, if your server is running an older version you will need to;

    UPDATE: Last method I posted did not work with addons like ECC. This should work fine.

    Download this file;
    https://github.com/ircmaxell/passwor...b/password.php

    Rename it to;
    "password_hash.php"

    Place a copy of that file in the following locations;
    /catalog/includes/functions/
    /catalog/admin/includes/functions/


    Open /catalog/includes/functions/affiliate_functions.php;

    Around line 13 find;
    PHP Code:
      function affiliate_check_url($url) { 
    Insert the following before that line;
    PHP Code:
      if (!in_array(DIR_WS_FUNCTIONS 'password_hash.php'get_included_files())) {
        require 
    DIR_WS_FUNCTIONS 'password_hash.php';
      } 
    Open /catalog/includes/functions/password_funcs.php;

    Around line 13 find;
    PHP Code:
    //// 
    Insert the following before that line;
    PHP Code:
      require DIR_WS_FUNCTIONS 'password_hash.php'

    Open /catalog/admin/includes/functions/password_funcs.php;

    Around line 13 find;
    PHP Code:
    //// 
    Insert the following before that line;
    PHP Code:
      require DIR_WS_FUNCTIONS 'password_hash.php'
    Finally
    Contact your host and ask when they are going to update their version of PHP, as at the time of writing anything older that 5.5 no longer receives security updates.
    Last edited by SMurphy; 04-05-2016 at 05:07 AM.

Similar Threads

  1. Replies: 18
    Last Post: 01-06-2014, 10:43 AM
  2. MIGS VPC Client (cc_via_migs) - Secure Hash Problem
    By deltrum in forum Custom Mods and Hacks
    Replies: 7
    Last Post: 02-18-2013, 03:27 AM
  3. Display Secure and Non Secure Items
    By kerryanne in forum osCmax v2 Customization/Mods
    Replies: 9
    Last Post: 09-17-2008, 04:37 AM
  4. Affiliate link secure non-secure
    By kwiznoz in forum osCmax v2 Installation issues
    Replies: 6
    Last Post: 08-28-2005, 01:08 PM
  5. Admin password out of sync with site password
    By bjrafferty in forum osCmax v1.7 Discussion
    Replies: 3
    Last Post: 07-19-2004, 08:34 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •