[Answered] Need plaintext paawords in general please

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

[Answered] Need plaintext paawords in general please

Post by leruler » Fri Oct 11, 2002 3:17 pm

Hallo

for some importend Reason i need plaintext password instead of MD5.
so i found that one:

find . -type f| xargs grep md5
./admin/admin_users.php: $password = md5($password);
./includes/bbcode.php: $uid = md5(mt_rand());
./includes/sessions.php: $session_id = md5(uniqid($user_ip));
./includes/usercp_register.php: if ( $row['user_password'] != md5($cur_password) )
./includes/usercp_register.php: $new_password = md5($new_password);
./includes/usercp_register.php: if ( $row['user_password'] != md5($cur_password) )
./includes/usercp_sendpasswd.php: SET user_newpasswd = '" . md5($user_password) . "', user_actkey = '$user_actkey'


is there any Chance for a DIFF ?

leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

Post by leruler » Fri Oct 11, 2002 3:40 pm

i understand Security Issues but i should possible to let the User decide

DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Re: Need plaintext paawords in general please

Post by DanielT » Fri Oct 11, 2002 3:47 pm

leruler wrote: Hallo

for some importend Reason i need plaintext password instead of MD5.
so i found that one:

find . -type f| xargs grep md5
./admin/admin_users.php: $password = md5($password);
./includes/bbcode.php: $uid = md5(mt_rand());
./includes/sessions.php: $session_id = md5(uniqid($user_ip));
./includes/usercp_register.php: if ( $row['user_password'] != md5($cur_password) )
./includes/usercp_register.php: $new_password = md5($new_password);
./includes/usercp_register.php: if ( $row['user_password'] != md5($cur_password) )
./includes/usercp_sendpasswd.php: SET user_newpasswd = '" . md5($user_password) . "', user_actkey = '$user_actkey'


is there any Chance for a DIFF ?


on all the above found remove the md5( and the closing )

btw you will need to login using a full md5 version of you current admin password then change your password (i can give you a link to a converter 4 you if you need)

it works fine i have it implimented on my school board

:D

leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

Re: Need plaintext paawords in general please

Post by leruler » Fri Oct 11, 2002 4:09 pm

on all the above found remove the md5( and the closing )

btw you will need to login using a full md5 version of you current admin password then change your password (i can give you a link to a converter 4 you if you need)

it works fine i have it implimented on my school board

:D


any example maybe for one line ?
and please post the the link to the converter, yes i need ;D

Regards and Thankx
leruler

DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Re: Need plaintext paawords in general please

Post by DanielT » Fri Oct 11, 2002 4:13 pm

leruler wrote:

on all the above found remove the md5( and the closing )

btw you will need to login using a full md5 version of you current admin password then change your password (i can give you a link to a converter 4 you if you need)

it works fine i have it implimented on my school board

:D


any example maybe for one line ?
and please post the the link to the converter, yes i need ;D

Regards and Thankx
leruler



http://pajhome.org.uk/crypt/md5/index.html

:D

DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Re: Need plaintext paawords in general please

Post by DanielT » Fri Oct 11, 2002 4:15 pm

Current wrote: $password = md5($password);
To wrote: $password = $password;


:D

leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

Post by leruler » Fri Oct 11, 2002 5:06 pm

very much thankx ;-)

DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Post by DanielT » Fri Oct 11, 2002 5:09 pm

No problem

:D

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Fri Oct 11, 2002 5:23 pm

/me faints when he sees the request

Smelling salts anyone? Anybody have smelling salts? :P
Why on earth do you want plaintext? You are inviting crackers galore.
Proven Offensive Security Expertise. OSCP - GXPN

DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Post by DanielT » Fri Oct 11, 2002 5:24 pm

Techie-Micheal wrote: /me faints when he sees the request

Smelling salts anyone? Anybody have smelling salts? :P
Why on earth do you want plaintext? You are inviting crackers galore.


Yup,

but i just gave what he wanted

i did this once,

never again i would do it tho

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Fri Oct 11, 2002 6:33 pm

I would guess so. :P Putting answered on here even though this belongs in mod support . . . ;)
Proven Offensive Security Expertise. OSCP - GXPN

leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

Post by leruler » Fri Oct 18, 2002 1:28 pm

OK, youre right. Plaintext is not secure but for changing the default auth mechanism worked.

Now i tryed it with replacing all found 'md5' with 'crypt'
The passwords are now crypted and my other Bachend can succesfully authenticat.
But NOT phpbb ! with plaintext yes with md5 yes but not with crypt ?

Please Help

Regards
leruler

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Fri Oct 18, 2002 3:45 pm

Well, as far as I know, mysql doesn't support crypt.
Proven Offensive Security Expertise. OSCP - GXPN

etegration
Registered User
Posts: 63
Joined: Thu Jul 11, 2002 1:30 pm
Location: Singapore
Contact:

Re: Need plaintext paawords in general please

Post by etegration » Fri Oct 18, 2002 4:47 pm

DanielT wrote:
this doesn't decrypt properly.for example a password stored as 6aff19afdc74eb5fbcc612c853c5e364 it translate into junk also...

leruler
Registered User
Posts: 15
Joined: Fri Oct 11, 2002 3:10 pm

Post by leruler » Sat Oct 19, 2002 1:01 pm

mysql understands crypt proberlly. I can put a crypted pass there and my other backend can succesfully understand it. But phpbb not :(

if i substitute all 'md5' words with 'crypt' so phpbb, if you register eg, creates a new User with a crypt Pass. But cant authenticate, my other backend can

Regards
leruler

Locked

Return to “2.0.x Support Forum”