effixx wrote: Sat Feb 17, 2024 11:51 amre-encrypting the passwords that were stored in plain text
Neither is that "re"encryption, nor does phpBB encrypt password - it stores a hash of it, that's also where
salt starts to make sense.
effixx wrote: Sat Feb 17, 2024 11:51 amWhere can I read out the required SALT value?
It differs per used algorithm (driver) and per user (as in: it's not set globally, as that would be
pepper, not salt), otherwise 2 same passwords would end in the same hash, making it easy to break it once and then use it for other accounts, too.
Since phpBB comes in files, simply use
a better text editor and search all those files for text of your interest, like
salt
. The results are all the file's lines which match your search. Then just check each to see if the context is nearest to your interest. In this case I'd look at the database tables - since a user password is most likely stored in such a table, I'd look at the column names and then have candidates to search for, since the PHP code must at one point make use of those column names - I'd search for
user_password
.
Long story short: you don't need to know. Instead you may have found
/phpBB/includes/acp/acp_users.php since the ACP's user module is able to set a user's password right away. Finding
line 990 shows us how to just generate the hash out of a password. Since we can code we know the variable must first be declared somewhere, which is on
line 896. In sum we have:
Code: Select all
$passwords_manager = $phpbb_container->get('passwords.manager'); // Line 896: instantiate generator with a default algorithm
$new_hash = $passwords_manager->hash('new_password'); // Line 990: calculate hash of input text to be stored
How to store then the content of
$new_hash
in the database's proper dataset shouldn't be a challenge to you.
effixx wrote: Mon Feb 19, 2024 12:02 pmif this value is used as SALT for login ?
Yes: it is neither used for password hashes, nor for the login in particular, but instead (as the name suggests) for HTML forms (including the one you submit with your credentials). Its purpose is to secure phpBB against
cross-site request forgery insofar that forms upon rendering always carry a unique ID that must match the stored one, when processing that submitted form. This also prevents harm when submitting the same form twice (like for deleting something).
The user password is not only used for logging in to the board - it is also used for changing the account email address, the account password itself and accessing the ACP.