Vanilla password checking for PunBB

sexybiggetje

Hi,
I started importing PunBB data to my fresh Vanilla installation. After conquering some queries that failed I now have an import file that the forum reads. However the passwordhash class isn't complete. My installation has passwords saved as sha1.
The CheckPassword function seems to validate against md5 and sha1(salt.sha1(password)). In order for the forum to function without resetting passwords it would need the addition of

        if (sha1($Password) == $StoredHash)
           $Result = TRUE;

x00

This could be doable with an update query, first back up!

You could change the HashMethod to django then use a zero length salt.

UPDATE GDN_User SET Password = CONCAT('sha1$$',Password), HashMethod = 'Django' WHERE LOWER(HashMethod) = 'punbb';

Alternatively you could generate Salts, given that it double hashes.

UPDATE GDN_User SET Password = CONCAT(SHA1(CONCAT((@rmdSalt :=  LEFT (UUID_SHORT(),5)),Password)),'$', @rmdSalt) WHERE LOWER(HashMethod) = 'punbb';

You can test it has worked with

SELECT UserID FROM GDN_User WHERE  LEFT(Password, LOCATE('$',Password) - 1) = SHA1(CONCAT(MID(Password,LOCATE('$',Password) + 1),SHA1('yourpass')));

where yourpass is your password of an account with punbb as HashMethod

Note this is untested but the principle is sound. They probably did it that way for backward compatibility but you wouldn't normally hash a hash, they do it the correct way.

x00

they probably double hash like that for backward compatibility, which is lucky for you.

generally it is not recommended to double hash, but they did it the recommended way.

sexybiggetje

Interesting. That could work for me.