Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla password checking for PunBB

Hi,
I started importing PunBB data to my fresh Vanilla installation. After conquering some queries that failed I now have an import file that the forum reads. However the passwordhash class isn't complete. My installation has passwords saved as sha1.
The CheckPassword function seems to validate against md5 and sha1(salt.sha1(password)). In order for the forum to function without resetting passwords it would need the addition of

        if (sha1($Password) == $StoredHash)
           $Result = TRUE;
Tagged:

Comments

  • x00x00 MVP
    edited October 2013

    This could be doable with an update query, first back up!

    You could change the HashMethod to django then use a zero length salt.

    UPDATE GDN_User SET Password = CONCAT('sha1$$',Password), HashMethod = 'Django' WHERE LOWER(HashMethod) = 'punbb';
    

    Alternatively you could generate Salts, given that it double hashes.

    UPDATE GDN_User SET Password = CONCAT(SHA1(CONCAT((@rmdSalt :=  LEFT (UUID_SHORT(),5)),Password)),'$', @rmdSalt) WHERE LOWER(HashMethod) = 'punbb';
    

    You can test it has worked with

    SELECT UserID FROM GDN_User WHERE  LEFT(Password, LOCATE('$',Password) - 1) = SHA1(CONCAT(MID(Password,LOCATE('$',Password) + 1),SHA1('yourpass')));
    

    where yourpass is your password of an account with punbb as HashMethod

    Note this is untested but the principle is sound. They probably did it that way for backward compatibility but you wouldn't normally hash a hash, they do it the correct way.

    grep is your friend.

  • they probably double hash like that for backward compatibility, which is lucky for you.

    generally it is not recommended to double hash, but they did it the recommended way.

    grep is your friend.

  • Interesting. That could work for me.

Sign In or Register to comment.