Improve password security by obfuscating it in the form #96

2016-05-21 16:55:12 -04:00 · 2016-05-21 16:55:12 -04:00 · 9ded89b6a5
parent 736b713a70
commit 9ded89b6a5
5 changed files with 43 additions and 7 deletions
--- a/src/includes/functions.inc.php
+++ b/src/includes/functions.inc.php
@ -630,6 +630,9 @@ function psm_no_cache() {
 */
 function psm_password_encrypt($password)
 {
 	if(empty($password))
 		return '';
 	$key = psm_get_conf('password_encrypt_key');
 	$iv = mcrypt_create_iv(
@ -641,7 +644,7 @@ function psm_password_encrypt($password)
 		$iv .
 		mcrypt_encrypt(
 			MCRYPT_RIJNDAEL_128,
-			hash('sha256', $key, true),
+			hash('sha256',  $key, true),
 			$password,
 			MCRYPT_MODE_CBC,
 			$iv
@ -660,6 +663,9 @@ function psm_password_encrypt($password)
 */
 function psm_password_decrypt($encryptedString)
 {
 	if(empty($encryptedString))
 		return '';
 	$key = psm_get_conf('password_encrypt_key');
 	$data = base64_decode($encryptedString);
@ -668,7 +674,7 @@ function psm_password_decrypt($encryptedString)
 	$decrypted = rtrim(
 		mcrypt_decrypt(
 			MCRYPT_RIJNDAEL_128,
-			hash('sha256', $key, true),
+			hash('sha256',  $key, true),
 			substr($data, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)),
 			MCRYPT_MODE_CBC,
 			$iv
--- a/src/lang/en_US.lang.php
+++ b/src/lang/en_US.lang.php
@ -125,7 +125,7 @@ $sm_lang = array(
 		'website_username' => 'Username',
 		'website_username_description' => 'Username to access the site. (Only Apache authentication is supported.)',
 		'website_password' => 'Password',
-		'website_password_description' => 'Password to access the site. The password is encrypted in the database and is not stored in plain text.',
+		'website_password_description' => 'Password to access the site. The password is encrypted in the database.',
 		'fieldset_monitoring' => 'Monitoring',
 		'fieldset_permissions' => 'Permissions',
 		'port' => 'Port',
--- a/src/psm/Module/Server/Controller/ServerController.php
+++ b/src/psm/Module/Server/Controller/ServerController.php
@ -200,7 +200,7 @@ class ServerController extends AbstractServerController {
 				'edit_value_pattern' => $edit_server['pattern'],
 				'edit_value_warning_threshold' => $edit_server['warning_threshold'],
 				'edit_website_username' => $edit_server['website_username'],
-				'edit_website_password' => psm_password_decrypt($edit_server['website_password']),
+				'edit_website_password' => empty($edit_server['website_password']) ? '' : sha1($edit_server['website_password']),
 				'edit_type_selected_' . $edit_server['type'] => 'selected="selected"',
 				'edit_active_selected_' . $edit_server['active'] => 'selected="selected"',
 				'edit_email_selected_' . $edit_server['email'] => 'selected="selected"',
@ -233,12 +233,38 @@ class ServerController extends AbstractServerController {
 			// dont process anything if no data has been posted
 			return $this->executeIndex();
 		}
         $encrypted_password  = '';
         if(!empty($_POST['website_password']))
         {
             $new_password = psm_POST('website_password');
             if($this->server_id > 0)
             {
                 $edit_server = $this->getServers($this->server_id);
                 $hash = sha1($edit_server['website_password']);
                 if($new_password == $hash)
                 {
                     $encrypted_password = $edit_server['website_password'];
                 }
                 else
                 {
                     $encrypted_password =  psm_password_encrypt( $new_password);
                 }
             }
             else
             {
                 $encrypted_password =  psm_password_encrypt($new_password);
             }
         }
 		$clean = array(
 			'label' => trim(strip_tags(psm_POST('label', ''))),
 			'ip' => trim(strip_tags(psm_POST('ip', ''))),
 			'timeout' => (isset($_POST['timeout']) && intval($_POST['timeout']) > 0) ? intval($_POST['timeout']) : null,
 			'website_username' => psm_POST('website_username', null),
-            'website_password' => (isset($_POST['website_password'])) ? psm_password_encrypt(psm_POST('website_password')) : '',
+               'website_password' => $encrypted_password,
 			'port' => intval(psm_POST('port', 0)),
 			'type' => psm_POST('type', ''),
 			'pattern' => psm_POST('pattern', ''),
--- a/src/templates/default/module/server/server/update.tpl.html
+++ b/src/templates/default/module/server/server/update.tpl.html
@ -88,7 +88,7 @@
 		<div class="control-group types typeWebsite">
 			<label class="control-label" for="website_password">{{ label_website_password }}</label>
 			<div class="controls">
-				<input type="text" id="website_password" name="website_password" value="{{ edit_website_password }}" data-toggle="tooltip" title="{{ label_website_password_description }}" />
+				<input type="password" id="website_password" name="website_password" value="{{ edit_website_password }}" data-toggle="tooltip" title="{{ label_website_password_description }}" />
 			</div>
 		</div>
 	</fieldset>
--- a/src/templates/default/module/server/server/view.tpl.html
+++ b/src/templates/default/module/server/server/view.tpl.html
@ -79,7 +79,11 @@
 		</tr>
 		<tr>
 			<td>{{ label_website_password }}:</td>
-			<td>******</td>
+			<td>
                {% if (website_password is not empty) %}
 				******
 				{% endif %}
 			</td>
 		</tr>
 		{% if has_admin_actions %}
 		<tr>