- dont use md5 on remote users

Author: Marius Burkard

interface/lib/classes/remoting.inc.php

@@ -128,13 +128,23 @@ public function login($username, $password, $client_login = false)
 			$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
 			return $remote_session;
 		} else {
-			$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
-			$remote_user = $app->db->queryOneRecord($sql, $username, $password);
+			$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
+			$remote_user = $app->db->queryOneRecord($sql, $username, $app->auth->crypt_password($password));
+			if(!$remote_user) {
+				// fallback to md5
+				$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = ?";
+				$remote_user = $app->db->queryOneRecord($sql, $username, md5($password));
+				if($remote_user) {
+					// update hash algo
+					$sql = 'UPDATE `remote_user` SET `remote_password` = ? WHERE `remote_username` = ?';
+					$app->db->query($sql, $app->auth->crypt_password($password), $username);
+				}
+			}
 			if($remote_user['remote_userid'] > 0) {
 				if (trim($remote_user['remote_ips']) != '') {
 					$allowed_ips = explode(',',$remote_user['remote_ips']);
-					foreach($allowed_ips as $i => $allowed) { 
-						if(!filter_var($allowed, FILTER_VALIDATE_IP)) { 
+					foreach($allowed_ips as $i => $allowed) {
+						if(!filter_var($allowed, FILTER_VALIDATE_IP)) {
 							// get the ip for a hostname
 							unset($allowed_ips[$i]);
 							$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
@@ -169,7 +179,7 @@ public function login($username, $password, $client_login = false)
 				if(!$remote_allowed) {
 					throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
 					return false;
-				}	
+				}
 				//* Create a remote user session
 				//srand ((double)microtime()*1000000);
 				$remote_session = md5(mt_rand().uniqid('ispco'));
@@ -368,22 +378,22 @@ protected function updateQueryPrepare($formdef_file, $client_id, $primary_id, $p
 
 		//* Load the form definition
 		$app->remoting_lib->loadFormDef($formdef_file);
-		
+
 		//* get old record and merge with params, so only new values have to be set in $params
                $old_rec = $app->remoting_lib->getDataRecord($primary_id, $client_id);
-		
+
 		foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf)
         {
             if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) {
                 unset($old_rec[$fieldName]);
             }
         }
-		
+
 		$params = $app->functions->array_merge($old_rec,$params);
 
 		//* Get the SQL query
 		$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);
-		
+
 		// throw new SoapFault('debug', $sql);
 		if($app->remoting_lib->errorMessage != '') {
 			throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
@@ -546,7 +556,7 @@ public function server_get($session_id, $server_id = null, $section ='') {
 			return false;
 		}
 	}
-	
+
 	/**
 	    Gets a list of all servers
 	    @param int session_id

interface/web/admin/form/remote_user.tform.php

@@ -109,7 +109,7 @@
 					'errmsg' => 'weak_password_txt'
 				)
 			),
-			'encryption' => 'MD5',
+			'encryption' => 'CRYPT',
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -124,11 +124,11 @@
 		'remote_ips' => array (
 			'datatype'  => 'TEXT',
 			'formtype'  => 'TEXT',
-			'validators'  => array (  
+			'validators'  => array (
 				0 => array (
-					'type' => 'CUSTOM', 
-					'class' => 'validate_remote_user', 
-					'function' => 'valid_remote_ip', 
+					'type' => 'CUSTOM',
+					'class' => 'validate_remote_user',
+					'function' => 'valid_remote_ip',
 					'errmsg' => 'remote_user_error_ips'),
 			),
 			'default' => '',