phpBB • Free and Open Source Forum Software

Noticed in CVS dated 2006-10-24 22:57 (UTC-6, Mountain Daylight Time).

When I registered the first user on my brand new CVS download of Olympus, it mailed me the hashed password rather than the cleartext password. The username and part of the hashed password have been changed to protect the innocent.

----------------------------
Username: someuser
Password: 9117624f898b90a2ca2d62eb460494b3
----------------------------

I was able to log in using the actual password entered rather than the hash I received. I verified in phpMyAdmin that the mailed password matches the hash in the db for that user.

In case versions are relevant:
PHP 5.1.6-1
MySQL 5.0.24a
Apache 2.0.55
Debian Etch
Kernel - 2.6.17-2-686 #1 SMP Wed Sep 13 16:34:10 UTC 2006 i686 GNU/Linux

In includes/ucp/ucp_register.php, there are a couple of places that look like this:

Code: Select all: 'PASSWORD' => html_entity_decode($user_row['user_password']),

They should probably look something like this (total guess, Perl is my strength, not PHP):

Code: Select all: 'PASSWORD' => html_entity_decode($data['new_password']),

I couldn't tell from a quick look whether the existence of $user_row is for programming convenience or is also security-related, so I don't know if accessing $data directly like I have proposed is a bad idea or not.

	What:	Where:	Country:
vacatures php arbeit php jobs php lavoro php emploi php trabajo php jobs php arbeit php

hashed password mailed to new user (fix completed in vcs)

Comments / History

Ticket details

Related SVN changesets

Advertisements