Bug Report / Development Choice = Usage of MySQL PASSWORD()
Posted: Thu Jul 21, 2011 8:18 am
ZoneMinder is using the not recommended MySQL PASSWORD() function to scramble the passwords with a custom encryption by MySql and store them in the zm.Users.Password field instead of using standard SHA1 function. This prevents the usage of the Apache2 mod_authn_dbd module's or any other method to use the ZoneMinder zm.Users table for authentication purposes.
http://dev.mysql.com/doc/refman/5.1/en/ ... n_password
web\includes\actions.php
As a solution to this problem the ZoneMinder source lines above should be changed to the ones below as per Apache password format recommendation : http://httpd.apache.org/docs/current/mi ... tions.html
web\includes\actions.php
web\includes\functions.php
Afterwards you should be able to implement the mod_authn_dbd with the settings below along with ZoneMinder's remote authentication option enabled to get http basic authentication to work and get rid of the need for a custom zoneminder internal user logon page.
/etc/apache2/sites-enabled/000-default
Commands
Distro: Ubuntu 11.04
http://dev.mysql.com/doc/refman/5.1/en/ ... n_password
Source: ZoneMinder 1.24.2The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.
web\includes\actions.php
Code: Select all
1447: $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')";
1543: $changes['Password'] = "Password = password('".dbEscape($_REQUEST['newUser']['Password'])."')";
web\includes\actions.php
Code: Select all
1447: $changes['Password'] = "Password = '".dbEscape('{SHA1}'.base64_encode(sha1($_REQUEST['newUser']['Password'],TRUE)))."'";
1543: $changes['Password'] = "Password = '".dbEscape('{SHA1}'.base64_encode(sha1($_REQUEST['newUser']['Password'],TRUE)))."'";
Code: Select all
51: $sql = "select * from Users where Username = '".$dbUsername."' and Password = '".'{SHA1}'.base64_encode(sha1($dbPassword,TRUE))."' and Enabled = 1";
/etc/apache2/sites-enabled/000-default
Code: Select all
DBDriver mysql
DBDParams "dbname=zm user=zmuser password=zmpass"
Alias /zm /usr/share/zoneminder
<Directory /usr/share/zoneminder>
AuthType Basic
AuthName "ZoneMinder"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "SELECT Password FROM Users WHERE Username = %s"
php_flag register_globals off
Options Indexes FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
Code: Select all
ln -s ../mods-available/dbd.load /etc/apache2/mods-enabled/dbd.load
ln -s ../mods-available/authn_dbd.load /etc/apache2/mods-enabled/authn_dbd.load
apt-get install libaprutil1-dbd-mysql
service apache2 restart