Welcome, Guest. Please Login or Register.
November 24, 2024, 10:38:48 AM
Home Help Search Log in Register
News: If you are still using YaBB SE, please consider upgrading to SMF as soon as possible.

YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  Version 1.4 on the way... « previous next »
Pages: 1 ... 8 9 [10] 11 12 ... 16 Reply Ignore Print
Author Topic: Version 1.4 on the way...  (Read 57007 times)
Neil Darlow
Noobie
*
Posts: 9


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #135 on: May 24, 2002, 01:20:09 PM »
Reply with quote

Quote from: Chris Cromer on May 24, 2002, 12:50:55 PMWell that is how the dev's did it in Profile.php, whether it is correct or not... I am not sure.

I have YaBB SE-1.3.0 plus the bug fix package. Looking at Profile.php the password crypt manipulations are done on variable $queryPasswdPart which is modified by escaping from the string and concatenating the crypt function result using the . operator back into string mode.

What you showed earlier is not like this at all.
Logged
Chris Cromer
The Strange One
Mod Team
YaBB God
*****
Posts: 3152


I am just a figment of your imagination.

WWW
Re:Version 1.4 on the way...
« Reply #136 on: May 24, 2002, 01:28:02 PM »
Reply with quote

If you read $queryPasswdPart you will see that it is equal to what I wrote in the query. ::)
« Last Edit: May 24, 2002, 01:36:23 PM by Chris Cromer » Logged

Chris Cromer

I am not suffering from insanity, I am enjoying every minute of it.
Chris Cromer
The Strange One
Mod Team
YaBB God
*****
Posts: 3152


I am just a figment of your imagination.

WWW
Re:Version 1.4 on the way...
« Reply #137 on: May 24, 2002, 01:52:48 PM »
Reply with quote

Well, I have fixed it. I am going to post the code and then we should now have 1.4 :)
« Last Edit: May 24, 2002, 02:39:15 PM by Chris Cromer » Logged

Chris Cromer

I am not suffering from insanity, I am enjoying every minute of it.
Chris Cromer
The Strange One
Mod Team
YaBB God
*****
Posts: 3152


I am just a figment of your imagination.

WWW
Re:Version 1.4 on the way...
« Reply #138 on: May 24, 2002, 02:00:32 PM »
Reply with quote

Replace this in Profile.php:

   $yytitle="$txt[245]";
   template_header();
      $euser=urlencode($member['user']);
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $member[passwrd1] $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");
      print <<<EOT

with:

   $yytitle="$txt[245]";
   template_header();
      $euser=urlencode($member['user']);
      $pswd = $member['passwrd1'];
      $queryPasswdPart="passwd='".crypt($pswd, substr($pswd,0,2))."'";
      $request = mysql_query("UPDATE {$db_prefix}members SET $queryPasswdPart WHERE memberName='$user'");
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $pswd $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");
      print <<<EOT

and also replace this:

   mt_srand(34028934023); //pseudo-random seed
   if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
      $member['passwrd1'] = crypt(mt_rand(-100000,100000));
      $newpassemail = 1;
   } else {

with:

     mt_srand(time());
      if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
            $member['passwrd1'] = crypt(mt_rand(-100000,100000));
            $member['passwrd1'] = preg_replace("/\W/","",$member['passwrd1']);
            $member['passwrd1'] = substr($member['passwrd1'],0,10);
            $newpassemail = 1;
   } else {

Then it will work normally. :)
Logged

Chris Cromer

I am not suffering from insanity, I am enjoying every minute of it.
Neil Darlow
Noobie
*
Posts: 9


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #139 on: May 24, 2002, 02:03:10 PM »
Reply with quote

Quote from: Chris Cromer on May 24, 2002, 12:06:09 PM      $pswd = $member['passwrd1'];
      $request = mysql_query("UPDATE {$db_prefix}members SET passwd='crypt($pswd,substr($pswd,0,2))' WHERE memberName='$user'");
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $pswd $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");

Contrast your code, above, with this:

     $request = mysql_query("UPDATE {$db_prefix}members SET passwd='" . crypt($pswd,substr($pswd,0,2)) . "' WHERE memberName='$user'");
Notice the escape from string mode to execute crypt followed by entry back into string mode. I have added spaces around the . operators for clarity.
Logged
Neil Darlow
Noobie
*
Posts: 9


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #140 on: May 24, 2002, 02:21:34 PM »
Reply with quote

Quote from: Chris Cromer on May 24, 2002, 02:00:32 PMReplace this in Profile.php:

     mt_srand(time());
      if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
            $member['passwrd1'] = crypt(mt_rand(-100000,100000));
            $member['passwrd1'] = preg_replace("/\W/","",$member['passwrd1']);
            $member['passwrd1'] = substr($member['passwrd1'],0,10);
            $newpassemail = 1;
   } else {


Not sure about that substr call. crypted passwords are two (2) salt plus eleven (11) characters. Why are you extracting the first ten?
Logged
Chris Cromer
The Strange One
Mod Team
YaBB God
*****
Posts: 3152


I am just a figment of your imagination.

WWW
Re:Version 1.4 on the way...
« Reply #141 on: May 24, 2002, 02:24:55 PM »
Reply with quote

That makes the password 10 characters long instead of the super huge password you would normally receive.

There was 3 bugs not just 1. The first was the password would contain special characters that it wasn't supposed to, the 2nd was it was too long, and the 3rd was it not saveing the password to the database after you change your password and you have e-mail password on e-mail change set.

You can see more about these other bugs here.
« Last Edit: May 24, 2002, 02:27:04 PM by Chris Cromer » Logged

Chris Cromer

I am not suffering from insanity, I am enjoying every minute of it.
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #142 on: May 24, 2002, 02:25:43 PM »
Reply with quote

Neil, that is how we are creating password in Register.php
Logged

Neil Darlow
Noobie
*
Posts: 9


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #143 on: May 24, 2002, 03:09:21 PM »
Reply with quote

Quote from: Jeff Lewis on May 24, 2002, 02:25:43 PMNeil, that is how we are creating password in Register.php

As long as you are aware that giving the user the salt and 8 characters of the password potentially weakens the password over that provided by crypt itself.

The other effects noted by Chris Comer are the expected outcome of MD5 and Blowfish encryption. These are documented in the PHP crypt function description (although I would add that FreeBSD natively generates a salt beginning with $2a$ for Blowfish encryption).

Passing a two character salt from the DES crypt character set (0-9A-Za-z./) should enforce the DES mode of encryption, if it's available on the platform, giving the expected 2 salt + 11 character encoding.
Logged
David
Destroyer Dave
Global Moderator
YaBB God
*****
Posts: 5761


I'm not a llama!

WWW
Re:Version 1.4 on the way...
« Reply #144 on: May 24, 2002, 03:25:05 PM »
Reply with quote

The thing is that YaBBSE passwords do not need to be strong enough for the CIA.  If you are really worried about somebody trying to use brute force to get into your account, you worry too much.  Also, so far there has not been a single known hacked board because of something YaBBSE did.
Logged

Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #145 on: May 24, 2002, 03:27:43 PM »
Reply with quote

Quote from: David on May 24, 2002, 03:25:05 PMAlso, so far there has not been a single known hacked board because of something YaBBSE did.

Lets not encourage someone :)
Logged

Neil Darlow
Noobie
*
Posts: 9


I'm a llama!

WWW
Re:Version 1.4 on the way...
« Reply #146 on: May 24, 2002, 03:46:33 PM »
Reply with quote

Quote from: David on May 24, 2002, 03:25:05 PMThe thing is that YaBBSE passwords do not need to be strong enough for the CIA.  If you are really worried about somebody trying to use brute force to get into your account, you worry too much.  Also, so far there has not been a single known hacked board because of something YaBBSE did.

Giving the user the salt is unnecessary as it's available in the database for use by the verification logic.

If you give the user all 11 characters of the password you retain password strength at the expense of sending 11 characters instead of 10.

Why give the user redundant information and weaken the password strength for the sake of a single character? And, IMHO, no password mechanism is too secure.
Logged
TheJkWhoSaysNi
YaBB God
*****
Posts: 1025


I dont know what to put here, i'll leave it blank.

ICQ - 122821095TheJkWhoSaysNi@evilemail.com WWW
Re:Version 1.4 on the way...
« Reply #147 on: May 24, 2002, 06:22:59 PM »
Reply with quote

will the  :'( smiley be fixed in 1.4?
Logged

WARNING: THIS POST MAY CONTAIN TRACES OF PEANUT!!!
I'm listening to....
Chris Cromer
The Strange One
Mod Team
YaBB God
*****
Posts: 3152


I am just a figment of your imagination.

WWW
Re:Version 1.4 on the way...
« Reply #148 on: May 24, 2002, 06:24:12 PM »
Reply with quote

I already asked that... Jeff said he wouldn't touch the smiley. ::)
Logged

Chris Cromer

I am not suffering from insanity, I am enjoying every minute of it.
TheJkWhoSaysNi
YaBB God
*****
Posts: 1025


I dont know what to put here, i'll leave it blank.

ICQ - 122821095TheJkWhoSaysNi@evilemail.com WWW
Re:Version 1.4 on the way...
« Reply #149 on: May 24, 2002, 06:25:58 PM »
Reply with quote

Aww, well if you're not going to make it work, remove it from the add smilies list...
Logged

WARNING: THIS POST MAY CONTAIN TRACES OF PEANUT!!!
I'm listening to....
Pages: 1 ... 8 9 [10] 11 12 ... 16 Reply Ignore Print 
YaBB SE Community  |  YaBB SE Info  |  News From the YaBB SE Team  |  Version 1.4 on the way... « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.197 seconds with 20 queries.