Free Salt + Hash User Passwords

[KB3LWJ]

This will modify Kayako to salt and hash users' passwords.

Please make a full backup of your Kayako installation before installing this mod, including your database and your Kayako directory.

This has only been tested on SupportSuite v3.20.02.

It does the following:

• Removes the cleartext passwords from the user database.
• Replaces the MD5 hashes in the user database with salted hashes
  • It also rotates the password by a configurable number of ASCII characters to further reduce the risk of a dictionary attack.
• Modifies the "Lost password" feature to generate a new password and send it to the user.

This modification consists of five files:

• client_changepassword.diff
  • This patch modifies modules/core/client_changepassword.php
• default.login.diff
  • This patch modifies includes/LoginShare/default.login.php
• functions_users.diff
  • This patch modifies includes/functions_users.php
• md5_salt.php
  • This file should be placed in includes/
  • It includes the hashing, verification, and rotation functions used to secure the passwords.
• updatepwd.php
  • This is a migration script. It takes the cleartext passwords in the database, updates the database with the secured hashes, and then removes the cleartext passwords from the database.
  • It should be placed in the Kayako root directory and executed, then deleted.

Installation (all paths are relative to the Kayako root directory, and assume that you have the "patch" utility on your system):

1. Place md5_salt.php in includes/
2. Place the three .diff files in the Kayako root directory
3. From a shell in the Kayako home directory, run the following commands:
   
   Quote:

   patch -bu includes/LoginShare/default.login.php default.login.diff

   Quote:

   patch -bu modules/core/client_changepassword.php client_changepassword.diff

   Quote:

   patch -bu includes/functions_users.php functions_users.diff

4. Place updatepwd.php in the Kayako root directory
5. Go to http://[your support site here]/updatepwd.php in your web browser.
   1. You must run this script, otherwise clients will be unable to access the site.
   2. No output will be displayed; simply allow the script to stop running on its own.
   3. In the event that the script is interrupted, it can be re-run safely.
   4. The changes made by this script cannot be undone. In order to revert to the old password storage method, you will need to reset all of your users' passwords.
6. Delete updatepwd.php from your web server.

After installing the modification, you may want to update the "lpmaildesc" phrase in your languages setting to reflect that a new password has been generated, and that the user will need to use the included password to log in in the future. You may also want to remove the "Password" field from the "email_autoresponder" template.

License / Warranty
I release my modifications to the Kayako source files (as described in the included .diff files) into the public domain.

md5_salt.php and updatepwd.php are released under the MIT License:

Quote:

Copyright (c) 2008 Derek Kaser

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[Jamie Edwards]

Hi and thanks once again for sharing this modification with everyone

[craigbrass]

Looking good! It will be a nice solution until Kayako release V4.

[kstange]

I have PM'ed KB3LWJ about this implementation. There is a significant security flaw present. I am not going to disclose the details until the problem is addressed, but I would strongly recommend this patch not be applied unless you are willing/able to fully audit the code to repair the problem.

[dkaser]

Here's an updated copy of the contents for md5_salt.php:

PHP Code:

<?php
//=================================================================================
// Copyright (c) 2008 Derek Kaser
// 
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
// 
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
//
//=================================================================================

// function: md5saltHash
// input: $password = Password to be hashed
// returns: A string containing the password salt and password hash, with the salt and hash delimited by a dollar sign.
function md5saltHash($password)
{
    $password = md5saltRotateAscii($password,149);
    $salt_characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890!@#%^&*()-_=+:;";
    $salt = "";
    for($i=0;$i<6;$i++)
    {
        $salt .= $salt_characters[rand(0,77)];
    }
    $passhash = md5($salt . $password);
    return($salt . "$" . $passhash);
}

// function: md5saltValidatePassword
// input: $db_hash = A string containing the password salt and password hash, with the salt and hash delimited by a dollar sign.
// input: $password = A plain-text password to validate against $db_hash
// returns: true if the password validates
// returns: false if the password does not validate 
function md5saltValidatePassword($db_hash,$password)
{
    $password = md5saltRotateAscii($password,149);
    $exploded = explode("$",$db_hash);
    $newhash = md5($exploded[0] . $password);
    if($newhash == $exploded[1])
    {
        return true;
    } else {
        return false;
    }
}

// function: md5saltRotateAscii
// input: $string = The string to rotate.
// input: $offset = The offset for each character in $string. 
// returns: The rotated string.
function md5saltRotateAscii($string,$offset)
{
    $newstring = "";
    for($i=0; $i<strlen($string); $i++)
    {
        $ord = ord($string[$i]);
        $ord += $offset;
        if($ord>255) $ord-=256;
        if($ord<0) $ord+=256;
        $newstring .= chr($ord);
    }
    return $newstring;
}

?>

As a warning, though, I wouldn't advise using this on newer versions of Kayako without extensive testing -- I haven't tested this modification since v3.20.02, so it may not work as intended on the newer versions.

[Jamie Edwards]

One of our customers has contacted us with the following information about this patch:

Quote:

1) in md5saltHash() the password is ASCII rotated forward by 149.

2) in md5saltValidatePassword() the login attempt's password is ASCII rotated backward by 149, meaning the password verification is comparing two strings that should NEVER be the same, so login should always fail.
This might have been a mixup thinking you had to undo the effect on the hash. You have to do all the same things to the submitted password to get the same hash.

3) md5saltRotateAscii() is very broken: $newstring += chr($ord); takes the numeric values of those strings and sums them. Almost all passwords end up setting $newstring to "0" which means that the updatepwd.php sets all the passwords on the system to "0" and and then it also tests all of the login attempts as if they were "0" and accepts any password that's supplied.

This is a simple syntax error, where "+=" should be ".=", but it is a very serious fault for anyone that might decide to apply the patches.