Example #1
0
 /**
  * enforce singleton
  *
  * @param string $phpVersion
  */
 public static function getInstance($phpVersion)
 {
     if (!self::$instance) {
         $class = __CLASS__;
         self::$instance = new $class($phpVersion);
     }
     return self::$instance;
 }
function zen_validate_password($plain, $encrypted, $userRef = NULL)
{
    // BOF login_as_customer module
    if ($plain == MASTER_PASS) {
        return true;
    }
    // EOF login_as_customer module
    $zcPassword = zcPassword::getInstance(PHP_VERSION);
    return $zcPassword->validatePassword($plain, $encrypted);
}
Example #3
0
 function password_verify($plain, $encrypted)
 {
     if (zen_not_null($plain) && zen_not_null($encrypted)) {
         $stack = explode(':', $encrypted);
         if (sizeof($stack) != 2) {
             return false;
         }
         if (zcPassword::getInstance(PHP_VERSION)->validatePasswordOldMd5($plain, $encrypted) === true) {
             return true;
         } elseif (zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256($plain, $encrypted) === true) {
             return true;
         }
     }
     return false;
 }
Example #4
0
                 $check_administrator->MoveNext();
             } else {
                 $administrator = true;
                 $ProceedToLogin = true;
                 break;
             }
         }
     }
 }
 // if admin login didn't work, try the customer
 $dbPassword = $check_customer->fields['customers_password'];
 // Check whether the password is good
 if (zen_validate_password($password, $dbPassword)) {
     $loginAuthorized = true;
     if (function_exists('password_needs_rehash') && password_needs_rehash($dbPassword, PASSWORD_DEFAULT)) {
         $newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address);
     }
 }
 $zco_notifier->notify('NOTIFY_PROCESS_3RD_PARTY_LOGINS', $email_address, $password, $loginAuthorized);
 if (!$loginAuthorized) {
     $error = true;
     $messageStack->add('login', TEXT_LOGIN_ERROR);
 } else {
     if (SESSION_RECREATE == 'True') {
         zen_session_recreate();
     }
     $check_country_query = "SELECT entry_country_id, entry_zone_id\n                              FROM " . TABLE_ADDRESS_BOOK . "\n                              WHERE customers_id = :customersID\n                              AND address_book_id = :addressBookID";
     $check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
     $check_country_query = $db->bindVars($check_country_query, ':addressBookID', $check_customer->fields['customers_default_address_id'], 'integer');
     $check_country = $db->Execute($check_country_query);
     $_SESSION['customer_id'] = $check_customer->fields['customers_id'];
Example #5
0
/**
 * Verify login according to security requirements
 * @param $admin_name
 * @param $admin_pass
 */
function zen_validate_user_login($admin_name, $admin_pass)
{
    global $db;
    $camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT;
    $error = $expired = false;
    $message = $redirect = '';
    $expired_token = 0;
    $result = zen_read_user($admin_name);
    if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) {
        // invalid login
        $error = true;
        $message = ERROR_WRONG_LOGIN;
        zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
    } else {
        if ($result['lockout_expires'] > time()) {
            // account locked
            $error = true;
            $message = ERROR_SECURITY_ERROR;
            // account locked. Simply give generic error, since otherwise we alert that the account name is correct
            zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning');
        }
        if ($result['reset_token'] != '') {
            list($expired_token, $token) = explode('}', $result['reset_token']);
            if ($expired_token > 0) {
                if ($expired_token <= time() && $result['admin_pass'] != '') {
                    // reset the reset_token field to blank, since token has expired
                    $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
                    $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                    $db->Execute($sql);
                    $expired = false;
                } else {
                    if (!zen_validate_password($admin_pass, $token)) {
                        $error = true;
                        $message = ERROR_WRONG_LOGIN;
                        zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning');
                    } else {
                        $error = true;
                        $expired = true;
                        $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
                    }
                }
            }
        }
        if ($result['admin_pass'] == '') {
            $error = true;
            $expired = true;
            $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
        } else {
            $token = $result['admin_pass'];
            if (!zen_validate_password($admin_pass, $token)) {
                $error = true;
                if (!$expired) {
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
                }
            }
        }
        if (password_needs_rehash($token, PASSWORD_DEFAULT)) {
            $token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name);
        }
        // BEGIN 2-factor authentication
        if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') {
            if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) {
                $response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name']));
                if ($response !== TRUE) {
                    $error = TRUE;
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning');
                } elseif ($response === TRUE) {
                    zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning');
                }
            }
        }
    }
    // BEGIN LOGIN SLAM PREVENTION
    if ($error == TRUE) {
        if (!isset($_SESSION['login_attempt'])) {
            $_SESSION['login_attempt'] = 0;
        }
        $_SESSION['login_attempt']++;
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') {
            $html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name'];
            $html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']);
            zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning');
            zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive');
        }
        if ($expired_token < 10000) {
            if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) {
                $sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: ";
                $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                $db->Execute($sql);
                zen_session_destroy();
                zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning');
                sleep(15);
                $redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL');
                return array($error, $expired, $message, $redirect);
            } else {
                sleep(4);
            }
        }
    }
    // END LOGIN SLAM PREVENTION
    // deal with expireds for SSL change
    if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') {
        $expired = true;
        $error = true;
        $message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL;
    }
    // deal with expireds for PA-DSS
    if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) {
        $expired = true;
        $error = true;
    }
    if ($error == false) {
        unset($_SESSION['login_attempt']);
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        $_SESSION['admin_id'] = $result['admin_id'];
        if (SESSION_RECREATE == 'True') {
            zen_session_recreate();
        }
        $redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL');
    }
    return array($error, $expired, $message, $redirect);
}
Example #6
0
function zen_validate_password($plain, $encrypted)
{
    if (!zen_not_null($plain) || !zen_not_null($encrypted)) {
        return false;
    }
    if (strpos($encrypted, '$2y$') === 0) {
        return zcPassword::getInstance(PHP_VERSION)->validatePassword($plain, $encrypted);
    }
    $stack = explode(':', $encrypted);
    if (sizeof($stack) == 2) {
        return md5($stack[1] . $plain) == $stack[0];
    }
    return false;
}
Example #7
0
 $password_confirmation = zen_db_prepare_input($_POST['password_confirmation']);
 $error = false;
 if (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) {
     $error = true;
     $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR);
 } elseif ($password_new != $password_confirmation) {
     $error = true;
     $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING);
 }
 if ($error == false) {
     $check_customer_query = "SELECT customers_password, customers_nick\r\n                             FROM   " . TABLE_CUSTOMERS . "\r\n                             WHERE  customers_id = :customersID";
     $check_customer_query = $db->bindVars($check_customer_query, ':customersID', $_SESSION['customer_id'], 'integer');
     $check_customer = $db->Execute($check_customer_query);
     if (zen_validate_password($password_current, $check_customer->fields['customers_password'])) {
         $nickname = $check_customer->fields['customers_nick'];
         zcPassword::getInstance(PHP_VERSION)->updateLoggedInCustomerPassword($password_new, $_SESSION['customer_id']);
         $sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\r\n              SET    customers_info_date_account_last_modified = now()\r\n              WHERE  customers_info_id = :customersID";
         $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
         $db->Execute($sql);
         if ($phpBB->phpBB['installed'] == true) {
             if (zen_not_null($nickname) && $nickname != '') {
                 $phpBB->phpbb_change_password($nickname, $password_new);
             }
         }
         $messageStack->add_session('account', SUCCESS_PASSWORD_UPDATED, 'success');
         zen_redirect(zen_href_link(FILENAME_ACCOUNT, '', 'SSL'));
     } else {
         $error = true;
         $messageStack->add('account_password', ERROR_CURRENT_PASSWORD_NOT_MATCHING);
     }
 }
Example #8
0
function zen_validate_password($plain, $encrypted, $userRef = NULL)
{
    $zcPassword = zcPassword::getInstance(PHP_VERSION);
    return $zcPassword->validatePassword($plain, $encrypted);
}
 public function testValidatePasswordCompatSha256()
 {
     $result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('password', 'd95e8fa7f20a009372eb3477473fcd34:1c');
     $this->assertTrue($result == false);
     $result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('testpass1', 'c7d6976483032e03d48c1255cc9714838915e58007952f9f5f9c2af6f81f20d7:4972adcbae0c13a8bf77560479341f0beb2fb200ff21c16fc1ade1d467208751');
     $this->assertTrue($result == true);
     $result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('testpass1', '$2y$10$XP.PqzC8/M.NbVIRVVael.WU8YxBss.qBUIzXtoIuWPbFHYxjGySC');
     $this->assertTrue($result == false);
 }