More secure password encryption mod (using mcrypt)
I wasn't happy with the level of encryption for user passwords within x-cart,
so based upon a freely available class that uses MCrypt password encrypt/decrypt functionality, I've modified X-Cart to support user-encrypted passwords, up to 256-bit level encryption :-) (I read on Wikipedia that the currently "crackable" level is 66-bit, so hackers would have a ways to go if they were trying to crack the encryption algorithm) -------------------------------------- This mod REQUIRES that the MCrypt module be compiled into PHP. If you are on a server that runs CPanel/WHM, it is no problem at all for the server admin to go into the Apache build settings and enable MCrypt. DISCLAIMER: This modification works perfectly on our Centos v4 server running WHM/CPanel, Apache 1.3.x, PHP 4.4.x, MySQL 4.0.25, with X-Cart 4.0.18. We claim no responsibility for any damage you may cause by applying this mod. We do not guarantee that this mod will work in your "environment". We do not guarantee your own ability to install this mod successfully. You install this mod at your own risk!! If needed, I can install this mod for $25 (if for some reason I were to install the mod and it didn't work in your environment, I would uninstall the mod and you would not be charged). You may contact me via these forums in PM or email to contract my services, support can be handled in this thread. IMPORTANT -- Create a back-up of all files that you will be modifying, as well as your database, before applying this mod!! -------------------------------------- This mod affects the following files:
In a follow-up post, I'll copy/paste contents from a PATCH file that can perform the alterations as needed -------------------------------------- OPEN config.php FIND Code:
$START_CHAR_CODE = 100; # 'd' letter AFTER, ADD Code:
# Replace the value of CRYPT_KEY with any random string, long=good. You may use numbers and letters. I have not tested the use of non-alphanumeric characters, feel free to test. DO NOT TEST on a live site, once you set the CRYPT_KEY, you must not change it again. Read the notes at the end regarding settings for CRYPT_CIPHER and CRYPT_MODE OPEN include/change_password.php FIND Code:
db_query("UPDATE $sql_tbl[customers] SET password='".addslashes(text_crypt($new_password))."', change_password='N' WHERE login='".addslashes($xlogin)."'"); REPLACE WITH Code:
$new_password = text_crypt($new_password,false,true,true); OPEN include/func.php FIND Code:
function text_crypt($s, $is_blowfish = false) { REPLACE WITH Code:
function text_crypt($s, $is_blowfish = false, $ret_iv = false, $mcrypt = false) { FIND Code:
function text_decrypt($s) { REPLACE WITH Code:
function text_decrypt($s, $iv = '', $mcrypt = false) { FIND Code:
$userinfo["passwd1"] = stripslashes(text_decrypt($userinfo["password"])); REPLACE WITH Code:
$userinfo["passwd1"] = stripslashes(text_decrypt($userinfo["password"], $userinfo["password_key"], true)); FIND Code:
$account = func_query_first("SELECT login, password FROM $sql_tbl[customers] WHERE login='$uname'"); REPLACE WITH Code:
$account = func_query_first("SELECT login, password, password_key FROM $sql_tbl[customers] WHERE login='$uname'"); FIND Code:
$account = func_query_first("SELECT login, password FROM $sql_tbl[customers] WHERE login='$login_' AND usertype='$usertype'"); REPLACE WITH Code:
$account = func_query_first("SELECT login, password, password_key FROM $sql_tbl[customers] WHERE login='$login_' AND usertype='$usertype'"); OPEN include/help.php FIND Code:
$accounts = func_query("select login, password, usertype from $sql_tbl[customers] where email='$email' and status='Y'"); REPLACE WITH Code:
$accounts = func_query("select login, password, password_key, usertype from $sql_tbl[customers] where email='$email' and status='Y'"); FIND Code:
$accounts[$key]["password"]=text_decrypt($accounts[$key]["password"]); REPLACE WITH Code:
$accounts[$key]["password"]=text_decrypt($accounts[$key]["password"], $accounts[$key]["password_key"], true); OPEN include/login.php FIND Code:
if (!empty($user_data) && $password == text_decrypt($user_data["password"]) && !empty($password) && $allow_login) { REPLACE WITH Code:
if ($user_data['password_key']==''){ OPEN include/register.php FIND Code:
$crypted = addslashes(text_crypt($passwd1)); REPLACE WITH Code:
$crypted = addslashes(text_crypt($passwd1,false,true,true)); FIND Code:
db_query("UPDATE $sql_tbl[customers] SET password='$crypted', password_hint='$password_hint', password_hint_answer='$password_hint_answer', title='$title', firstname='$firstname', lastname='$lastname', company='$company', b_address='".$b_address."\n".$b_address_2."', b_city='$b_city', b_county='".(@$b_county)."', b_state='$b_state', b_country='$b_country', b_zipcode='$b_zipcode', s_address='".$s_address."\n".$s_address_2."', s_city='$s_city', s_county='".(@$s_county)."', s_state='$s_state', s_country='$s_country', s_zipcode='$s_zipcode', phone='$phone', email='$email', fax='$fax', url='$url', card_name='$card_name', card_type='$card_type', card_number='".addslashes(text_crypt($card_number))."', card_expire='$card_expire', card_cvv2='$card_cvv2', pending_membership='$pending_membership', ssn='$ssn', change_password='$change_password', parent = '$parent', pending_plan_id = '$pending_plan_id' WHERE login='$login' AND usertype='$login_type'"); REPLACE WITH Code:
db_query("UPDATE $sql_tbl[customers] SET password='".addslashes($crypted['s'])."', password_key='".addslashes($crypted['iv'])."', password_hint='$password_hint', password_hint_answer='$password_hint_answer', title='$title', firstname='$firstname', lastname='$lastname', company='$company', b_address='".$b_address."\n".$b_address_2."', b_city='$b_city', b_county='".(@$b_county)."', b_state='$b_state', b_country='$b_country', b_zipcode='$b_zipcode', s_address='".$s_address."\n".$s_address_2."', s_city='$s_city', s_county='".(@$s_county)."', s_state='$s_state', s_country='$s_country', s_zipcode='$s_zipcode', phone='$phone', email='$email', fax='$fax', url='$url', card_name='$card_name', card_type='$card_type', card_number='".addslashes(text_crypt($card_number))."', card_expire='$card_expire', card_cvv2='$card_cvv2', pending_membership='$pending_membership', ssn='$ssn', change_password='$change_password', parent = '$parent', pending_plan_id = '$pending_plan_id' WHERE login='$login' AND usertype='$login_type'"); FIND Code:
db_query("INSERT INTO $sql_tbl[customers] (login,usertype,password,password_hint,password_hint_answer,title,firstname,lastname,company,b_address,b_city,b_county,b_state,b_country,b_zipcode,s_address,s_city,s_county,s_state,s_country,s_zipcode,phone,email,fax,url,card_name,card_type,card_number,card_expire,card_cvv2,first_login,status,referer,pending_membership,ssn,parent,pending_plan_id,change_password) VALUES ('$uname','$usertype','$crypted','".@$password_hint."','".@$password_hint_answer."','$title','$firstname','$lastname','$company','".$b_address."\n".$b_address_2."','$b_city','".(@$b_county)."','$b_state','$b_country','$b_zipcode','".$s_address."\n".$s_address_2."','$s_city','".(@$s_county)."','$s_state','$s_country','$s_zipcode','$phone','$email','$fax','$url','".@$card_name."','".@$card_type."','".addslashes(text_crypt(@$card_number))."','".@$card_expire."','".@$card_cvv2."','".time()."','Y','".@$RefererCookie."','".@$pending_membership."','".@$ssn."', '$parent', '$pending_plan_id','$change_password')"); REPLACE WITH Code:
db_query("INSERT INTO $sql_tbl[customers] (login,usertype,password,password_key,password_hint,password_hint_answer,title,firstname,lastname,company,b_address,b_city,b_county,b_state,b_country,b_zipcode,s_address,s_city,s_county,s_state,s_country,s_zipcode,phone,email,fax,url,card_name,card_type,card_number,card_expire,card_cvv2,first_login,status,referer,pending_membership,ssn,parent,pending_plan_id,change_password) VALUES ('$uname','$usertype','".addslashes($crypted['s'])."','".addslashes($crypted['iv'])."','".@$password_hint."','".@$password_hint_answer."','$title','$firstname','$lastname','$company','".$b_address."\n".$b_address_2."','$b_city','".(@$b_county)."','$b_state','$b_country','$b_zipcode','".$s_address."\n".$s_address_2."','$s_city','".(@$s_county)."','$s_state','$s_country','$s_zipcode','$phone','$email','$fax','$url','".@$card_name."','".@$card_type."','".addslashes(text_crypt(@$card_number))."','".@$card_expire."','".@$card_cvv2."','".time()."','Y','".@$RefererCookie."','".@$pending_membership."','".@$ssn."', '$parent', '$pending_plan_id','$change_password')"); OPEN sql/xcart_tables.sql (OPTIONAL) FIND Code:
password varchar(128) NOT NULL default '', REPLACE WITH Code:
password blob NOT NULL, CREATE include/class.mcrypt.php PASTE IN THE FOLLOWING CODE Code:
<?php EXECUTE THE FOLLOWING CODE VIA phpMyAdmin (changing SQL) -- replace "xcart_" with your own prefix if needed Code:
ALTER TABLE `xcart_customers` SAVE AND CLOSE ALL FILES I created a script to convert all passwords in the database, but that proved to be a lengthy process (5000+ members would have taken several hours to process). Due to the slow speed of that process, I altered this mod will automatically convert a user's password when the login script is prompted in x-cart. When an attempt is made to login, the script checks the user's password, if it's not the new "standard", then the password is decrypted, and re-encrypted. In config.php, you have the ability to change the encryption algorithm (CRYPT_CIPHER) and the "mode" used for encryption (CRYPT_MODE). The defaults provided are a strong combination (256-bit encryption), but feel free to change. Once you set these values, you cannot alter them again. On my own server, running latest Apache/PHP/MCrypt as provided by CPanel/WHM, my options for CIPHER and MODE are listed below, they'll likely work for you: Quote:
Cheers! -intel352 |
Here is the patch file contents. This is only useful to users that know how to automatically apply a patch to source code.
You must read the previous post regarding config.php, configuration of the new variables. Also you still need to execute the SQL query, found at the end of the previous post. Code:
Index: config.php |
All times are GMT -8. The time now is 09:34 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.