fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-3548 Users can log in with just a password hash without knowing the clear text password

Browse Source 
- Check if the password contains password hashes.
This commit is contained in:
Marco A. Nina Mena
2017-08-06 20:19:26 -04:00
committed by Marco A. Nina Mena
parent fee5d3640d
commit f9b59c5f42
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
workflow/engine/methods/login/authentication.php
View File

@@ -41,6 +41,18 @@ try {
die();
}
//Check if the password contains the password hashes
if (!empty($_POST['form']['USR_PASSWORD']) && strlen($_POST['form']['USR_PASSWORD']) > 32) {
$pass = trim($_POST['form']['USR_PASSWORD']);
foreach (Bootstrap::getPasswordHashConfig() as $key => $hash) {
$search = substr($pass, 0, strlen($hash) + 1);
if ($search == $hash . ':') {
$pass = substr($pass, strlen($hash) + 1);
}
}
$_POST['form']['USR_PASSWORD'] = $pass;
}
$frm = $_POST['form'];
if (isset($frm['USR_USERNAME'])) {