1 --- ./main.php 2014-11-16 14:53:38.235094774 +0200
2 +++ ./main.php 2014-11-16 14:52:37.000000000 +0200
7 +function setup_session(&$cleartext_pw) {
8 + $_SESSION['logged_in'] = 1;
9 + $_SESSION['key'] = md5("%dJ9&".strtolower($cleartext_pw)."(/&k.=".strtoupper($cleartext_pw)."1x&%");
10 + // delete cleartext pw in memory
12 + unset($cleartext_pw);
15 +// use master password if HTTP Basic Auth is set
16 +$authenticated = !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW']);
17 +if ($authenticated && isset($master_password)) {
18 + setup_session($master_password);
22 if (!isset($_SESSION['logged_in']))
25 if ($crypt_pw == $db_pw)
27 // password match - proceed
28 - $_SESSION['logged_in'] = 1;
29 - $_SESSION['key'] = md5("%dJ9&".strtolower($cleartext_pw)."(/&k.=".strtoupper($cleartext_pw)."1x&%");
31 + setup_session($cleartext_pw);
33 // delete cleartext pw in memory
35 $_SESSION['version']=$entries->version;
36 --- w3pw-1.40/include/config.php 2014-11-16 14:55:26.126783112 +0200
37 +++ w3pw-1.40/include/config.php 2014-11-16 14:40:39.000000000 +0200
39 // generated when adding a new entry
40 $random_pw_length = 12;
42 +// master password -- used when $_SERVER PHP_AUTH_USER and PHP_AUTH_PW are set
43 +#$master_password = "secret";
45 // don't report Database-Errors on Frontend
46 //error_reporting(E_ERROR);
48 --- w3pw-1.40/index.php 2014-11-17 20:42:31.565202759 +0200
49 +++ w3pw-1.40/index.php 2014-11-17 20:45:06.000000000 +0200
54 +if (!empty($_SESSION['logged_in'])) {
55 + header("Location: main.php");
60 <title>w3pw Login</title>