Bug Report / Development Choice = Usage of MySQL PASSWORD()

Forum for questions and support relating to the 1.24.x releases only.
Post Reply
JakFrost
Posts: 5
Joined: Sun Jul 03, 2011 10:41 am

Bug Report / Development Choice = Usage of MySQL PASSWORD()

Post by JakFrost » Thu Jul 21, 2011 8:18 am

ZoneMinder is using the not recommended MySQL PASSWORD() function to scramble the passwords with a custom encryption by MySql and store them in the zm.Users.Password field instead of using standard SHA1 function. This prevents the usage of the Apache2 mod_authn_dbd module's or any other method to use the ZoneMinder zm.Users table for authentication purposes.

http://dev.mysql.com/doc/refman/5.1/en/ ... n_password
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.
Source: ZoneMinder 1.24.2

web\includes\actions.php

Code: Select all

1447:                 $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')";
1543:                $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')";
As a solution to this problem the ZoneMinder source lines above should be changed to the ones below as per Apache password format recommendation : http://httpd.apache.org/docs/current/mi ... tions.html

web\includes\actions.php

Code: Select all

1447:                $changes['Password'] = "Password = '".dbEscape('{SHA1}'.base64_encode(sha1($_REQUEST['newUser']['Password'],TRUE)))."'";
1543:                $changes['Password'] = "Password = '".dbEscape('{SHA1}'.base64_encode(sha1($_REQUEST['newUser']['Password'],TRUE)))."'";
web\includes\functions.php

Code: Select all

51:            $sql = "select * from Users where Username = '".$dbUsername."' and Password = '".'{SHA1}'.base64_encode(sha1($dbPassword,TRUE))."' and Enabled = 1";
Afterwards you should be able to implement the mod_authn_dbd with the settings below along with ZoneMinder's remote authentication option enabled to get http basic authentication to work and get rid of the need for a custom zoneminder internal user logon page.

/etc/apache2/sites-enabled/000-default

Code: Select all

        DBDriver mysql
        DBDParams "dbname=zm user=zmuser password=zmpass"

        Alias /zm /usr/share/zoneminder
        <Directory /usr/share/zoneminder>
                AuthType Basic
                AuthName "ZoneMinder"
                AuthBasicProvider dbd
                Require valid-user
                AuthDBDUserPWQuery "SELECT Password FROM Users WHERE Username = %s"

                php_flag register_globals off
                Options Indexes FollowSymLinks
                <IfModule mod_dir.c>
                        DirectoryIndex index.php
                </IfModule>
        </Directory>
Commands

Code: Select all

ln -s ../mods-available/dbd.load /etc/apache2/mods-enabled/dbd.load
ln -s ../mods-available/authn_dbd.load /etc/apache2/mods-enabled/authn_dbd.load
apt-get install libaprutil1-dbd-mysql
service apache2 restart
Distro: Ubuntu 11.04

User avatar
zoneminder
Site Admin
Posts: 5220
Joined: Wed Jul 09, 2003 2:07 pm
Location: Bristol, UK
Contact:

Re: Bug Report / Development Choice = Usage of MySQL PASSWOR

Post by zoneminder » Sat Jul 23, 2011 9:12 pm

Thanks for this, it looks interesting. It would have to be implemented as an optional change though as otherwise users would have to re-enter passwords for existing systems on upgrades.
Phil

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests