diff --git a/lam/HISTORY b/lam/HISTORY
index cc39f108..2486e5e2 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,3 +1,9 @@
+??? 2.2.0
+ - allow to switch sorting in the account lists
+ - use suffix from account list as default for new accounts (patch 1823583)
+ - Security: passwords in configuration files are now saved as hash values
+
+
07.11.2007 2.1.0
- tabular design for account pages
- show DN on account pages
diff --git a/lam/config/config.cfg_sample b/lam/config/config.cfg_sample
index 120aed1c..7a4739c7 100644
--- a/lam/config/config.cfg_sample
+++ b/lam/config/config.cfg_sample
@@ -1,5 +1,5 @@
-# password to add/delete/rename configuration profiles
-password: lam
+# password to add/delete/rename configuration profiles (default: lam)
+password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ==
# default profile, without ".conf"
default: lam
diff --git a/lam/config/lam.conf_sample b/lam/config/lam.conf_sample
index fcf0d28e..958adb28 100644
--- a/lam/config/lam.conf_sample
+++ b/lam/config/lam.conf_sample
@@ -8,8 +8,8 @@ serverURL: ldap://localhost:389
# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
admins: cn=Manager,dc=my-domain,dc=com
-# password to change these preferences via webfrontend
-passwd: lam
+# password to change these preferences via webfrontend (default: lam)
+passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==
# suffix of tree view
# e.g. dc=yourdomain,dc=org
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index 21a2324d..503165cc 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -467,12 +467,23 @@ class LAMConfig {
}
/**
- * Returns the password to access the preferences wizard
- *
- * @return string the password
- */
- public function get_Passwd() {
- return $this->Passwd;
+ * Checks if the given password matches.
+ *
+ * @param String $password
+ * @return boolean true, if matches
+ */
+ public function check_Passwd($password) {
+ if (substr($this->Passwd, 0, 6) == "{SSHA}") {
+ // check hashed password
+ $value = substr($this->Passwd, 6);
+ $parts = explode(" ", $value);
+ $salt = base64_decode($parts[1]);
+ return ($this->hashPassword($password, $salt) === $this->Passwd);
+ }
+ else {
+ // old nonhashed password
+ return ($password === $this->Passwd);
+ }
}
/**
@@ -482,9 +493,28 @@ class LAMConfig {
* @return boolean true if $value has correct format
*/
public function set_Passwd($value) {
- if (is_string($value)) $this->Passwd = $value;
- else return false;
- return true;
+ if (is_string($value)) {
+ mt_srand((microtime() * 1000000));
+ $rand = mt_rand();
+ $salt0 = substr(pack("h*", md5($rand)), 0, 8);
+ $salt = substr(pack("H*", sha1($salt0 . $value)), 0, 4);
+ $this->Passwd = $this->hashPassword($value, $salt);
+ return true;
+ }
+ else {
+ return false;
+ }
+ }
+
+ /**
+ * Returns the hashed password.
+ *
+ * @param String $password password
+ * @param String $salt salt
+ * @return String hash value
+ */
+ private function hashPassword($password, $salt) {
+ return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
}
/**
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index 4264b751..8ba87281 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -45,11 +45,10 @@ setlanguage();
// get password
if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
-if (isset($_GET["modulesback"]) || isset($_GET["typesback"])) $passwd = $_SESSION['conf_config']->get_Passwd();
// check if password was entered
// if not: load login page
-if (! $passwd) {
+if (!$passwd && !isset($_SESSION['conf_isAuthenticated'])) {
$_SESSION['conf_message'] = _("No password was entered!");
/** go back to login if password is empty */
require('conflogin.php');
@@ -63,7 +62,7 @@ $conf = &$_SESSION['conf_config'];
// check if password is valid
// if not: load login page
-if (!(($conf->get_Passwd()) == $passwd)) {
+if (!$conf->check_Passwd($passwd) && !($_SESSION['conf_isAuthenticated'] === $conf->file)) {
$sessionKeys = array_keys($_SESSION);
for ($i = 0; $i < sizeof($sessionKeys); $i++) {
if (substr($sessionKeys[$i], 0, 5) == "conf_") unset($_SESSION[$sessionKeys[$i]]);
@@ -73,6 +72,7 @@ if (!(($conf->get_Passwd()) == $passwd)) {
require('conflogin.php');
exit;
}
+$_SESSION['conf_isAuthenticated'] = $conf->file;
// check if button was pressed and if we have to save the setting or go back to login
if (isset($_POST['back']) || isset($_POST['submitconf']) || isset($_POST['editmodules']) || isset($_POST['edittypes'])){
diff --git a/lam/templates/config/profmanage.php b/lam/templates/config/profmanage.php
index 4f81f3a4..1a92ad0e 100644
--- a/lam/templates/config/profmanage.php
+++ b/lam/templates/config/profmanage.php
@@ -79,7 +79,7 @@ if ($_POST['submit']) {
if ($file) {
// load as config and write new password
$conf = new LAMConfig($_POST['addprofile']);
- $conf->Passwd = $_POST['addpassword'];
+ $conf->set_Passwd($_POST['addpassword']);
$conf->save();
$msg = _("Created new profile.");
}
diff --git a/lam/tests/conf-test.php b/lam/tests/conf-test.php
index 94190a34..0c9bbc44 100644
--- a/lam/tests/conf-test.php
+++ b/lam/tests/conf-test.php
@@ -39,7 +39,6 @@ echo ("
Starting Test...
");
echo ("Loading preferences...");
$ServerURL = $conf->get_ServerURL();
$cachetimeout = $conf->get_cacheTimeout();
-$Passwd = $conf->get_Passwd();
$Adminstring = $conf->get_Adminstring();
$Suff_users = $conf->get_Suffix('user');
$Suff_groups = $conf->get_Suffix('group');
@@ -81,7 +80,7 @@ echo ("Loading and comparing...");
$conf2 = new LAMConfig('test');
if ($conf2->get_ServerURL() != "ldap://123.345.678.123:777") echo ("
Saving ServerURL failed!
");
if ($conf2->get_cacheTimeout() != "33") echo ("
Saving Cache timeout failed!
");
-if ($conf2->get_Passwd() != "123456abcde") echo ("
Saving password failed!
");
+if (!$conf2->check_Passwd("123456abcde")) echo ("
Saving password failed!
");
if ($conf2->get_Adminstring() != "uid=test,o=test,dc=org;uid=root,o=test2,c=de") echo ("
Saving admin string failed!
");
if ($conf2->get_Suffix('user') != "ou=test,o=test,c=de") echo ("
Saving user suffix failed!
");
if ($conf2->get_Suffix('group') != "ou=testgrp,o=test,c=de") echo ("
Saving group suffix failed!
");
@@ -102,7 +101,7 @@ echo ("done
");
echo ("Restoring old preferences...");
$conf2->set_ServerURL($ServerURL);
$conf2->set_cacheTimeout($cachetimeout);
-$conf2->set_Passwd($Passwd);
+$conf2->set_Passwd('lam');
$conf2->set_Adminstring($Adminstring);
$conf2->set_Suffix('user', $Suff_users);
$conf2->set_Suffix('group', $Suff_groups);