XOOPS Web Application System (https://xoops.org)
Powered by You!
Urgent:: XOOPS 2.5 - Password Security Patch
Category : XOOPS | Published by wishcraft on 08-Sep-2012 05:26XOOPS 2.5 - Password Security Patch
Community Release by Chronolabs Co-op
You may have heard about this when the linked-in user database was hacked that anonymous where reverse engineering over 2.4 million passwords as they where stored in a none reversible none symposium checksum which meant through a dictionary attack, you could by comparing the checksum to a test case, work out someone password, this is typically possible with ALL NONE REVERSIBLE CHECKSUMS.
Many months ago I worked on a checksum/hash called QCP the Quantum checksum process at lengths of around 12 or less it becomes a symposium checksum that is has collisions with other variants of data that share a similar fingerprint. This means there are many possible data types or password that could have the same checksum. But of course if you lengthen the fingerprint to 28 or more in length there is no possible collision point for the fingerprint.
In this package there is a variation of QCP I have written called XoopsCRC, which provides hash which is bitwise comparable. And a secondary class loader for a shorter version of it which is simply a hash called password. There is also a modified /kernel/members.php which allow for a comparison of both md5 and password fingerprints so any user that hasn't reset there password since the patch is applied can still log in. Also something when you forget your username you can also use an email address to log in instead of a username. This is the XoopsMembersHandler::loginUser() function.
I have also removed the use of md5 for new accounts in both the core files as well as the profile module which is included in the patch.. This is simply done by replacing md5() with XoopsHash::password().
Download: xoops2.5_password_security_1.0.1.zip - 30Kb
readme.txt
[size=xx-small]-----------------------------------------------------------------------------------------------------------
-[ XOOPS Password Security Patch for XOOPS 2.5 08-09-2012 14:21 - For XOOPS 2.5.x ]-----------[ v 1.0.1 ]--
-----------------------------------------------------------------------------------------------------------
- :: Preword :: -
- -
- Currently with the current distribution of XOOPS the user passwords are stored in an md5. This means if -
- a hacker was able to get a copy of your user table in mysql, he would be able to reverse engineer the -
- md5 with a dictionary attack or md5 reverser to find out your users password. If the user has a common -
- password on system it would then allow him to be exposed on the internet to fraud, deception and -
- general unpleasantness. -
- -
- The checksum used in XoopsHash::password() function is a symposium checksum which means there is many -
- possible results for the password in the scope for data. this means there is no way of reversing the -
- checksum that has collisions with other data combinations of varied lengths so there passwords are -
- secure from reverse engineering and dictionary attacks. -
- -
- :: Installation :: -
- -
- Copy the content of the /htdocs folder in the zip over the top and replacing the files in XOOPS 2.5 -
- the /htdocs folder contents is copied into your public root path the same path as the define in -
- mainfile.php called XOOPS_ROOT_PATH. This is typically on unix system the folder called public_html. -
- -
--[ simon@chronolabs.com.au ]-----------------------------------------------------------[ @itswishcraft ]--[/size]
changelog.txt
[size=xx-small]----------------------------------------------------------------------------------------------------------
- XOOPS Password Security Patch for XOOPS 2.5 08-09-2012 14:21 - For XOOPS 2.5.x -
----------------------------------------------------------------------------------------------------------
* changed /kernel/member.php XoopsMemberHandler::loginUser old md5() as well as XoopsHash::password()
* changed /lostpass.php XoopsHash::password() implemented instead of md5()
* changed /register.php XoopsHash::password() implemented instead of md5()
* changed /modules/profile/lostpass.php XoopsHash::password() implemented instead of md5()
* changed /modules/profile/register.php XoopsHash::password() implemented instead of md5()
* added /class/hash/xoopshash.php Xoops Checksum Handler
* added /class/hash/md5/md5.php Md5 Checksum Handler
* added /class/hash/sha1/sha1.php Sha1 Checksum Handler
* added /class/hash/xoopscrc/xoopscrc.php Xoops CRC Checksum Handler
* added /class/hash/xoopscrc/xoops.crc.base.php Xoops CRC Base Class
* added /class/hash/xoopscrc/xoops.crc.class.php Xoops CRC Handler Class
* added /class/hash/xoopscrc/xoops.crc.enumerator.php Xoops CRC Enumerator Class
* added /class/hash/xoopscrc/xoops.crc.leaver.php Xoops CRC Leaver Class
* added /class/hash/password/password.php Xoops Password Checksum Handler
----------------------------------------------------------------------------------------------------------[/size]
Community Release by Chronolabs Co-op
You may have heard about this when the linked-in user database was hacked that anonymous where reverse engineering over 2.4 million passwords as they where stored in a none reversible none symposium checksum which meant through a dictionary attack, you could by comparing the checksum to a test case, work out someone password, this is typically possible with ALL NONE REVERSIBLE CHECKSUMS.
Many months ago I worked on a checksum/hash called QCP the Quantum checksum process at lengths of around 12 or less it becomes a symposium checksum that is has collisions with other variants of data that share a similar fingerprint. This means there are many possible data types or password that could have the same checksum. But of course if you lengthen the fingerprint to 28 or more in length there is no possible collision point for the fingerprint.
In this package there is a variation of QCP I have written called XoopsCRC, which provides hash which is bitwise comparable. And a secondary class loader for a shorter version of it which is simply a hash called password. There is also a modified /kernel/members.php which allow for a comparison of both md5 and password fingerprints so any user that hasn't reset there password since the patch is applied can still log in. Also something when you forget your username you can also use an email address to log in instead of a username. This is the XoopsMembersHandler::loginUser() function.
I have also removed the use of md5 for new accounts in both the core files as well as the profile module which is included in the patch.. This is simply done by replacing md5() with XoopsHash::password().
Download: xoops2.5_password_security_1.0.1.zip - 30Kb
readme.txt
[size=xx-small]-----------------------------------------------------------------------------------------------------------
-[ XOOPS Password Security Patch for XOOPS 2.5 08-09-2012 14:21 - For XOOPS 2.5.x ]-----------[ v 1.0.1 ]--
-----------------------------------------------------------------------------------------------------------
- :: Preword :: -
- -
- Currently with the current distribution of XOOPS the user passwords are stored in an md5. This means if -
- a hacker was able to get a copy of your user table in mysql, he would be able to reverse engineer the -
- md5 with a dictionary attack or md5 reverser to find out your users password. If the user has a common -
- password on system it would then allow him to be exposed on the internet to fraud, deception and -
- general unpleasantness. -
- -
- The checksum used in XoopsHash::password() function is a symposium checksum which means there is many -
- possible results for the password in the scope for data. this means there is no way of reversing the -
- checksum that has collisions with other data combinations of varied lengths so there passwords are -
- secure from reverse engineering and dictionary attacks. -
- -
- :: Installation :: -
- -
- Copy the content of the /htdocs folder in the zip over the top and replacing the files in XOOPS 2.5 -
- the /htdocs folder contents is copied into your public root path the same path as the define in -
- mainfile.php called XOOPS_ROOT_PATH. This is typically on unix system the folder called public_html. -
- -
--[ simon@chronolabs.com.au ]-----------------------------------------------------------[ @itswishcraft ]--[/size]
changelog.txt
[size=xx-small]----------------------------------------------------------------------------------------------------------
- XOOPS Password Security Patch for XOOPS 2.5 08-09-2012 14:21 - For XOOPS 2.5.x -
----------------------------------------------------------------------------------------------------------
* changed /kernel/member.php XoopsMemberHandler::loginUser old md5() as well as XoopsHash::password()
* changed /lostpass.php XoopsHash::password() implemented instead of md5()
* changed /register.php XoopsHash::password() implemented instead of md5()
* changed /modules/profile/lostpass.php XoopsHash::password() implemented instead of md5()
* changed /modules/profile/register.php XoopsHash::password() implemented instead of md5()
* added /class/hash/xoopshash.php Xoops Checksum Handler
* added /class/hash/md5/md5.php Md5 Checksum Handler
* added /class/hash/sha1/sha1.php Sha1 Checksum Handler
* added /class/hash/xoopscrc/xoopscrc.php Xoops CRC Checksum Handler
* added /class/hash/xoopscrc/xoops.crc.base.php Xoops CRC Base Class
* added /class/hash/xoopscrc/xoops.crc.class.php Xoops CRC Handler Class
* added /class/hash/xoopscrc/xoops.crc.enumerator.php Xoops CRC Enumerator Class
* added /class/hash/xoopscrc/xoops.crc.leaver.php Xoops CRC Leaver Class
* added /class/hash/password/password.php Xoops Password Checksum Handler
----------------------------------------------------------------------------------------------------------[/size]