OfHash Implement (Issue 7 Fix)

.gitignore

@@ -1,3 +1,4 @@
 backups/*
 npp.bat
-.svn
+.svn
+.DS_Store

admin/add_user.php

@@ -7,7 +7,11 @@
     $ignoresrestrictions=$db->escape_string($_POST['ignoresrestrictions']=="on"?"1":"0");
     $ip=$db->escape_string($_POST['ip']);
     $group=explode(":",$db->escape_string($_POST['groups']));
-	$password=sha1($db->escape_string($_POST['pass']));
+    include_once('hash/OfHash.php');
+    $hash = new OfHash();
+    $inputstring=$_POST['pass'];
+    $hashedpassword = $hash->hash($inputstring);
+    $password=$db->escape_string($hashedpassword);
 	if (strlen($_POST['pass']) > 0)
 	{
 		$db->insert("users",Array("name"=>$nick,

admin/buildconfig.php

@@ -144,7 +144,7 @@
 			{
 				mysql_query('ALTER TABLE users ADD password varchar(255)');
 			}
-			mysql_query('insert into users (name, password) values ("admin", "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3");', $conn);
+			mysql_query('insert into users (name, password) values ("admin", "$O$Brl4bRZY/Lt9yEk.6htwp7hmElu6rO1gXFLmzoBTyYHLpZWUDy.gkyUtZoqakeESC1Z5JsXlPbPkoPJHP95hSzoN4aiDe2/");', $conn);
 
 			$rs = mysql_query('SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "items" and table_schema = "'.$_POST['mysql_database'].'"', $conn);
 			if (mysql_num_rows($rs) == 0)

admin/edit_user.php

@@ -8,7 +8,10 @@
         $ignoresrestrictions=$_POST['ignoresrestrictions']=="on"?"1":"0";
         $ip=$_POST['ip'];
         $group=explode(":",$_POST['groups']);
-	$password=sha1($_POST['pass']);
+        include_once('hash/OfHash.php');
+        $hash = new OfHash();
+	$inputstring=$_POST['pass'];
+        $password = $hash->hash($inputstring);
 	if (strlen($_POST['pass']) > 0)
 	{
 		$db->set("users",Array(

admin/hash/OfHash.php

@@ -9,7 +9,6 @@
  * Minimum Requirement: PHP 5.0.0
  */
 
-if(!defined('OF_ROOT')) exit;
 
 /**
  * OpenFlame Web Framework - Hashing framework,
@@ -168,6 +167,29 @@ public function check($password, $stored_hash)
 		if ($hash[0] == '*')
 			$hash = crypt($password, $stored_hash);
 
-		return $hash == $stored_hash;
+		return $this->full_compare($hash, $stored_hash);
+	}
+
+	/**
+	 * A time-insensitive string comparison function, to help deter highly accurate timing attacks.
+	 * @param string $a - The first string to compare
+	 * @param string $b - The second string to compare
+	 * @return boolean - Do the strings match?
+	 *
+	 * @license - Public Domain - http://twitter.com/padraicb/status/41055320243437568
+	 * @link http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/
+	 * @author http://twitter.com/padraicb
+	 */
+	public function full_compare($a, $b)
+	{
+		if(strlen($a) !== strlen($b))
+			return false;
+
+		$result = 0;
+
+		for($i = 0, $size = strlen($a); $i < $size; $i++)
+			$result |= ord($a[$i]) ^ ord($b[$i]);
+
+		return $result == 0;
 	}
 }

admin/login_process.php

@@ -1,6 +1,9 @@
 <?php
 session_start();
 require_once('config.php');
+require_once('hash/OfHash.php');
+$hash = new OfHash();
+
 
 if($useflatfile){
     require("flatfile.class.php");
@@ -16,10 +19,10 @@
     echo "MySQL Configuration Incorrect.";
     exit();
 }
-$result=$db->fetch_by("users",Array("password"=>sha1($_POST['pass']),"name"=>$_POST['user']),"");
-if($result['password'] == sha1($_POST['pass'])) {
-        $_SESSION['user']=$result["name"];
-        echo "1";
+$result=$db->fetch_by("users",Array("password"=>$_POST['pass'],"name"=>$_POST['user']),"");
+if($hash->check($_POST['pass'], $result['password'])){
+    $_SESSION['user']=$result["name"];
+            echo "1";
 }else{
         echo "0";
 }

admin/mineadmin.sql

@@ -12,4 +12,4 @@ CALL addcol();
 
 DROP PROCEDURE addcol;
 
-insert into users (name, groups, password) values ('admin','default', 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3');
+insert into users (name, groups, password) values ('admin','default', '$O$Brl4bRZY/Lt9yEk.6htwp7hmElu6rO1gXFLmzoBTyYHLpZWUDy.gkyUtZoqakeESC1Z5JsXlPbPkoPJHP95hSzoN4aiDe2/');

index.php

@@ -8,29 +8,15 @@
 <html lang="en">
 <head>
 	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-	<title>MinecraftServers.com</title>
-	<style type="text/css">
-		#wrapper{display:table;overflow:hidden;margin:0px auto;}
-		#container{display:table-cell;}
-		html,body{height:100%;}
-		body {background: #d3d3d3 url('images/bg.png') no-repeat top center; font-family: sans-serif; font-size: 16px;}
-		a {text-decoration: none;color:#144564;}
-		ul,li {}
-		#footer {color: #b2b2b2;text-shadow:#fff 0px 1px 0, #999 0 -1px 0;}
-		#footer a {color: #144564;text-decoration: none;}
-		#wrapper{height:100%;width:800px;}
-		#content {margin-top: 75px;text-align: left;}
-		#footer {position: absolute;bottom: 15px;width:800px;text-align: center;}
-	</style>
+	<title>MinecraftServers.com</title><link rel="stylesheet" type="text/css" href="style.css">
 </head>
 <body>
    <div id="wrapper">
        <div id="container">
                <div id="content">
-					<?php echo Markdown(file_get_contents('admin/markdown.md'));?>
-	            </div>
+			  <?php echo Markdown(file_get_contents('admin/markdown.md'));?></div>
                <div id="footer">Powered by <a href="http://minecraftservers.com">MinecraftServers.com</a></div>
        </div>
   </div> 
 </body>
-</html>
+</html>

style.css

@@ -0,0 +1,11 @@
+#wrapper{display:table;overflow:hidden;margin:0px auto;}
+#container{display:table-cell;}
+html,body{height:100%;}
+body {background: #d3d3d3 url('images/bg.png') no-repeat top center; font-family: sans-serif; font-size: 16px;}
+a {text-decoration: none;color:#144564;}
+ul,li {}
+#footer {color: #b2b2b2;text-shadow:#fff 0px 1px 0, #999 0 -1px 0;}
+#footer a {color: #144564;text-decoration: none;}
+#wrapper{height:100%;width:800px;}
+#content {margin-top: 75px;text-align: left;}
+#footer {position: absolute;bottom: 15px;width:800px;text-align: center;}