Default.php - Hold relevant$fckphp_config vars locally Decr…

/gui/tools/webmail/plugins/html_mail/fckeditor/editor/filemanager/browser/mcpuk/connectors/php/Auth/Default.php

https://github.com/BenBE/ispCP · PHP · 86 lines · 42 code · 10 blank · 34 comment · 12 complexity · 48bb32c977e42e7e3c62da61dd125266 MD5 · raw file


<?php 

/*

 * FCKeditor - The text editor for internet

 * Copyright (C) 2003-2005 Frederico Caldeira Knabben

 * 

 * Licensed under the terms of the GNU Lesser General Public License:

 * 		http://www.opensource.org/licenses/lgpl-license.php

 * 

 * For further information visit:

 * 		http://www.fckeditor.net/

 * 

 * "Support Open Source software. What about a donation today?"

 * 

 * File Name: Default.php

 * 	Im not very clued up on authentication but even i can see that anyone 

 * 	who can spoof an IP could perform a replay attack on this, but its 

 * 	better than nothing. 

 * 	There is a 1 hour time out on tokens to help this slightly.

 * 

 * File Authors:

 * 		Grant French (grant@mcpuk.net)

 */

class Auth {

	

	function authenticate($data,$fckphp_config) {



		//Hold relevant$fckphp_config vars locally

		$key=$fckphp_config['auth']['Handler']['SharedKey'];

		$fckphp_config['authSuccess']=false;

		

		//Decrypt the data passed to us

		$decData="";

		for ($i=0;$i<strlen($data)-1;$i+=2) $decData.=chr(hexdec($data[$i].$data[$i+1]));

		

		$decArray=explode("|^SEP^|",$decData);

		

		if (sizeof($decArray)==4) {

			//0 = Timestamp

			//1 = Client IP

			//2 = Username

			//3 = MD5

			if ($decArray[3]==md5($decArray[0]."|^SEP^|".$decArray[1]."|^SEP^|".$decArray[2].$key)) {

				if (time()-$decArray[0]<3600) { //Token valid for max of 1 hour

					if ($_SERVER['REMOTE_ADDR']==$decArray[1]) {

						

						//Set the file root to the users individual one

						$top=str_replace("//","/",$fckphp_config['basedir'].'/'.$fckphp_config['UserFilesPath']."/users");

						$fckphp_config['UserFilesPath']=$fckphp_config['UserFilesPath']."/users/".$decArray[2];

						$up=str_replace("//","/",$fckphp_config['basedir'].'/'.$fckphp_config['UserFilesPath']);

						

						if (!file_exists($top)) {

							mkdir($top,0777) or die("users folder in UserFilesPath does not exist and could not be created.");

							chmod($top,0777);

						}

						

						//Create folder if it doesnt exist

						if (!file_exists($up)) {

							mkdir($up,0777) or die("users/".$decArray[2]." folder in UserFilesPath does not exist and could not be created.");

							chmod($up,0777); //Just for good measure

						}

						

						//Create resource area subfolders if they dont exist

						foreach ($fckphp_config['ResourceTypes'] as $value) {

							if (!file_exists("$up/$value")) {

								mkdir("$up/$value",0777) or die("users/".$decArray[2]."/$value folder in UserFilesPath does not exist and could not be created.");

								chmod("$up/$value",0777); //Just for good measure

							}

						}

						$fckphp_config['authSuccess']=true;

					} else {

						//Not same client as auth token is for

					}

				} else {

					//Token more than an hour old

				}

			} else {

				//Data integrity failed

			}

		} else {

			//Not enough data (decryption failed?)

		}

		

		return $fckphp_config;

	}

}

?>

Alerts (7)

'md5(' Weak hashing detected; use password_hash() with PASSWORD_DEFAULT for secure password storage
42
Complexity hotspot; lines 42 to 44 (total complexity: 3)
42 43 44
'die(' Abrupt termination detected; use try-catch or custom error handlers for better control
52 58 65