function cobalt_password_hash($mode, $password, $username, &$salt = '', &$iteration = '', &$method = '') { require_once 'subclasses/system_settings.php'; $obj_settings = new system_settings(); if ($mode == 'RECREATE') { $dbh = new data_abstraction(); $mysqli = $dbh->connect_db()->mysqli; $clean_username = $mysqli->real_escape_string($username); $dbh->set_table('user'); $dbh->set_fields('`salt`,`iteration`,`method`'); $dbh->set_where("`username`='{$clean_username}'"); $dbh->exec_fetch('single'); if ($dbh->num_rows == 1) { extract($dbh->dump); } else { //No result found. We should produce fake data, so that the hashing process still takes place, //mitigating probing / timing attacks $salt = generate_token(); $method = cobalt_password_set_method(); if ($method == 'blowfish') { $iteration = AUTH_BLOWFISH_COST_FACTOR; } else { $min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS'); $max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS'); if ($max < $min) { $max = $min; } $iteration = mt_rand($min, $max); echo $iteration . ' ' . $method . ' ' . $salt; } } $dbh->close_db(); } elseif ($mode == 'NEW') { $salt = generate_token(); $method = cobalt_password_set_method(); if ($method == 'blowfish') { $iteration = AUTH_BLOWFISH_COST_FACTOR; } else { $min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS'); $max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS'); if ($max < $min) { $max = $min; } $iteration = mt_rand($min, $max); } } else { error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid mode specified."); } if ($method == 'blowfish') { $digest = cobalt_password_hash_bcrypt($password, $salt, $iteration); } elseif (in_array($method, cobalt_password_methods())) { $digest = cobalt_password_hash_process($password, $salt, $iteration, $method); } else { error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid hash method specified."); } return $digest; }
$error_message = 'You have been logged out because your IP address has changed. Please log in again.'; } } if (xsrf_guard()) { init_var($_POST['btnSubmit']); if ($_POST['btnSubmit']) { require 'password_crypto.php'; $error_message = ''; extract($_POST); //Deal with passwords longer than MAX_PASSWORD_LENGTH (possible DoS vulnerability) if (strlen($password) > MAX_PASSWORD_LENGTH) { //Reset password to an arbitrarily small string, thwarting any DoS attempt $password = '******'; } $data_con = new data_abstraction(); $mysqli = $data_con->connect_db()->mysqli; $clean_username = $mysqli->real_escape_string($username); $clean_password = cobalt_password_hash('RECREATE', $password, $username); //FIXME: remember to update this ancient code to use prepared statement $mysqli->real_query("SELECT `username`, `skin_id`, `first_name`, `middle_name`, `last_name` FROM `user`, `person` WHERE `username`='{$clean_username}' AND `password`='{$clean_password}' AND `user`.`person_id` = `person`.`person_id`"); if ($result = $mysqli->use_result()) { if ($data = $result->fetch_assoc()) { $result->close(); extract($data); $_SESSION['logged'] = 'Logged'; $_SESSION['user'] = $username; $_SESSION['first_name'] = $first_name; $_SESSION['middle_name'] = $middle_name; $_SESSION['last_name'] = $last_name; $_SESSION['ip_address'] = get_ip(); $data_con = new data_abstraction();
?> </SELECT> <input type=submit name="passportButton" value="GO" class=button1> </td> </tr> </TABLE> <table class="input_form" width="800"> <tr><td><br><hr></td></tr> </table> <?php if ($SHOW_MODULES) { if ($passportGroup != 'All Groups') { $data_con = new data_abstraction(); $data_con->connect_db(); $data_con->set_fields('passport_group AS `Group_Title`'); $data_con->set_table('user_passport_groups'); $data_con->set_where("passport_group_id = '" . quote_smart($passportGroup) . "'"); $result = $data_con->make_query()->result; $data_con->close_db(); $info = $result->fetch_assoc(); extract($info); } else { $Group_Title = "All Groups"; } ?> <br><br> <table width="800" class="listView" align="center"> <tr class="listRowHead"><td colspan=2> <?php echo "{$Group_Title} passport for {$Name}";
function init_cobalt($required_passport = null, $log = TRUE) { //Start the performance timer $start = microtime(TRUE); define('PROCESS_START_TIME', $start); //Load the global config file and any other class or library files you want to be autoloaded at every page. require 'global_config.php'; require 'data_abstraction_class.php'; require 'html_class.php'; if (DEBUG_MODE) { require_once 'core_debug.php'; } //Set timezone as specified in global_config date_default_timezone_set(TIMEZONE_SETTING); //Start session. Prevent simple session fixation attacks by regenerating session ID when it is first set. session_name(GLOBAL_SESSION_NAME); session_start(); if (!isset($_SESSION['initiated'])) { //To mitigate session prediction attacks, ensure entropy length is at leats 16 bytes (128 bits) //and the hash function is SHA256 if supported, else SHA1. $sess_entropy_length = ini_get('session.entropy_length'); if ($sess_entropy_length < 16) { ini_set('session.entropy_length', 16); } if (in_array('sha256', hash_algos())) { ini_set('session.hash_function', 'sha256'); } else { ini_set('session.hash_function', 1); } session_regenerate_id(TRUE); $_SESSION['initiated'] = TRUE; } //Default database link - for use with quote_smart() //and any other functions that rely on MySQL functions //which rely on a valid database link being opened at one point. global $default_db_link; $dbh = new data_abstraction(); $default_db_link = $dbh->connect_db()->mysqli; if ($required_passport != null) { //Check if logged; if not, redirect to login page defined by global_config.php. if (!isset($_SESSION['logged']) || $_SESSION['logged'] != "Logged") { redirect(LOGIN_PAGE); } elseif ($_SESSION['ip_address'] != get_ip()) { if (IP_CHANGE_DETECTION) { //If IP changes, log user out to prevent potential session hijacks. log_action('Logged out due to IP address change, from ' . $_SESSION['ip_address'] . ' to ' . get_ip()); $_SESSION = array(); if (isset($_COOKIE[session_name()])) { setcookie(session_name(), "", time() - 86400); } session_destroy(); redirect(LOGIN_PAGE . '?reason=ipchange'); } } if ($required_passport != 'ALLOW_ALL') { check_passport($required_passport); } } //If magic_quotes_gpc is enabled in the server, we have to "clean" the POST data so //we always make use of 'virgin' input. This way, all other methods can rely on the fact //that all input data will be unescaped when they receive it. //OPTIMIZATION TIP: If you can set magic qoutes off in php.ini, do so. This will save processing time. if (get_magic_quotes_gpc()) { reverse_magic_quotes($_POST); } mb_internal_encoding(MULTI_BYTE_ENCODING); //Initialize these two variables, they're practically in every page global $message; global $message_type; $message = ''; $message_type = ''; if ($log && LOG_MODULE_ACCESS) { if (empty($_POST['form_key'])) { log_action('Module Access'); } } }