Skip to:
Content

bbPress.org

Opened 7 years ago

Last modified 7 years ago

#1928 new defect

nonrehashed user passwords

Reported by: capsx Owned by: netweb
Milestone: Future Release Priority: high
Severity: normal Version: 2.1.2
Component: API - Importers Keywords:
Cc: stephen@…

Description

nonrehashed user passwords

in the phpBB user table there is a row named "user_pass_convert" - and this must be taken into account
it has a value 1 if user password is not fully rehashed
it means, that after user posted password, it will be hashed with md5, and only after that compared to the password hash

for example - when user first time log in to phpbb after that phpbb was upgraded from 2 to 3 - password is compared in that way (with md5 hash), and after that it is changed to the new password hash from password without md5 and updated in the database, also user_pass_convert is set to 0

now - if forum is updated from 2->3 - and that forum is converted to phpBB - password comparing always will fail

temporary fix for that (cause ALL user passwords are nonrehashed - no one logged in) is to put in converters/phpBB.php line $password = md5($password);

public function authenticate_pass($password, $serialized_pass) {

$password = md5($password);
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
$pass_array = unserialize($serialized_pass);
if (strlen($pass_arrayhash?) == 34) {

return ($this->_hash_crypt_private($password, $pass_arrayhash?, $itoa64) === $pass_arrayhash?) ? true : false;

}

return (md5($password) === $pass_arrayhash?) ? true : false;

}

in that function is check for old style passwords:
"if (strlen($pass_arrayhash?) == 34) {"
but passwords are new hashes, and lenght will be 34 symbols, only those hashes will be from phpbbhashfunction(md5(password)) - sou comparing against phpbbhashfunction(password) will always fail, and converted users will not log in

Attachments (1)

phpBB-pass_arrayhash.diff (1.0 KB) - added by netweb 7 years ago.

Download all attachments as: .zip

Change History (8)

#1 @capsx
7 years ago

edit:

now - if phpBB forum is updated from 2->3 - and that forum is converted to bbpress - password comparing always will fail

#2 @netweb
7 years ago

  • Cc stephen@… added

#3 @johnjamesjacoby
7 years ago

  • Owner set to netweb

Can you turn this into a diff patch? Having never seen what data converted from phpBB2 to phpBB3 looks like, I'm taking your word for it. Netweb, are you able to confirm anything here?

#4 follow-up: @netweb
7 years ago

There's the diff, I will do some testing with it tomorrow (need to get admin pw) with a phpBB install I know has v2 users migrated to v3

#5 in reply to: ↑ 4 @capsx
7 years ago

Replying to netweb:

There's the diff, I will do some testing with it tomorrow (need to get admin pw) with a phpBB install I know has v2 users migrated to v3

stop stop

guys - code is a bit messed up - cause i pasted as a plaintext here ...

also $password = md5($password) must be used ONLY if in the phpBB database phpbb_users row user_pass_convert = 1 (it means that after phpBB upgrade from 2->3 , user was not logged in - and password is in the nonrehashed fromat, and must be rahashed)

sou:

  1. in the convert process row user_pass_convert from phpbb_users must be copied to the user metadata
  2. when user log in and get_user_meta($user_id, 'user_pass_convert', true) == 1, only then function authenticate_pass must use $password = md5($password).

alternate method is:

if in function authenticate_pass $this->_hash_crypt_private return FALSE, try to do the same only with $password = md5($password)

#6 @netweb
7 years ago

After chatting with 'capsx' Friday night, he is converting from phpBB v2 -> phpBB v3 -> bbPress 2.1x

The password format for migrated users from from phpBBv2 into phpBBv3 are not converted to the phpBB v3 format until the user logs in the first time to phpBB v3

if user_pass_convert=0 (standard phpBB v3 User OR migrated phpBBv2 user who has logged into phpBB v3)

	public function authenticate_pass($password, $serialized_pass) {
		$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
		$pass_array = unserialize($serialized_pass);
		if (strlen($pass_array['hash']) == 34) {				
			return ($this->_hash_crypt_private($password, $pass_array['hash'], $itoa64) === $pass_array['hash']) ? true : false;
		}
	
		return (md5($password) === $pass_array['hash']) ? true : false;
	}

if user_pass_convert=1 (Migrated phpBB v2 user who has NOT logged into phpBB v3)

	public function authenticate_pass($password, $serialized_pass) {
		$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
		$pass_array = unserialize($serialized_pass);
		if (strlen($pass_arrayhash?) == 34) {				
			return ($this->_hash_crypt_private($password, $pass_arrayhash?, $itoa64) === $pass_arrayhash?) ? true : false;
		}
	
		return (md5($password) === $pass_arrayhash?) ? true : false; 
	}

I see two options available to us:

  1. Put some 'if, then' logic for user_pass_convert into function authenticate_pass of phpBB.php
  2. Fork phpBB.php to phpBBv2.php creating a direct phpBB v2 - bbPress 2.1x converter

There is very little difference between the database schema of phpBB v2 & phpBB v3 so as my coding skills are no where near good enough to implement option 1 above, i'll take a shot at a adding a direct phpBB v2 -> bbPress 2.1x converter.

#7 @johnjamesjacoby
7 years ago

  • Milestone changed from 2.1.3 to Future Release

Moving this to Future Release, since netweb's attached patch doesn't actually work, and supported layered conversions is a slippery slope.

This type of situation would be better handled by a massive forced password reset than trying to piggy-back migration logic, or hard-coding layers of potential issues from any one platform any other to bbPress 2.x.

Note: See TracTickets for help on using tickets.