It is always interesting looking at various CMS’s and how they implement security. For this post I’ll be covering the methods eZ Publish up to (at least) release 4.6 uses. This post is based on the following PHP class file: kernel\classes\datatypes\ezuser\ezuser.php. More information can be found there.

Various password constants and their use

The basis for this list is this static function:

static function createHash( $user, $password, $site, $type, $hash = false )
PASSWORD_HASH_MD5_PASSWORD
MD5 of password

        $str = md5( $password );
        
PASSWORD_HASH_MD5_USER
MD5 of user and password – which happens to be default.

        $str = md5( "$user\n$password" ); // notice the newline character!!!
        
PASSWORD_HASH_MD5_SITE
MD5 of site, user and password

        $str = md5( "$user\n$password\n$site" ); // again, notice the newline characters!!!
        
PASSWORD_HASH_MYSQL
Legacy support for mysql hashed passwords

            $db = eZDB::instance();
            $hash = $db->escapeString( $password ); // pay close attention to any escapes

            $str = $db->arrayQuery( "SELECT PASSWORD( '$hash' )" );
            $hashes = array_values( $str[0] );
            $str = $hashes[0];
        
PASSWORD_HASH_PLAINTEXT
Passwords in plaintext, should not be used for real sites

        $str = $password
        
PASSWORD_HASH_CRYPT
Crypted passwords

            if ( $hash ) // $hash is an input parameter initially set to false. Pay close attention to this.
            {
                $str = crypt( $password, $hash );
            }
            else
            {
                $str = crypt( $password );
            }
        
Advertisements