Question regarding 2.2 update and mybb passwordhash support
pdqlinux
New
Hi there, I imported our mybb mysql database a while back and I've successfully updated vanilla forums for the last 2 releases, I have however, been patching the vanilla/library/core/class.passwordhash.php file manually, as the mybb code section in that file did not work as is. What must we do in order to keep this working when we upgrade to the new 2.2 update?
Below is the bit of code from that file that does work for mybb along with the original commented code that did not work:case 'mybb': //$Parts = explode(':', $StoredHash, 2); //$Hash = GetValue(0, $Parts); //$Salt = GetValue(1, $Parts); //$ComputedHash = md5(md5($Salt).$Password); //$Result = $ComputedHash == $Hash; $SaltLength = strlen($StoredHash) - 32; $Salt = trim(substr($StoredHash, -$SaltLength, $SaltLength)); $MyStoredHash = substr($StoredHash, 0, strlen($StoredHash) - $SaltLength); $MyHash = md5(md5($Salt).md5($Password)); $Result = $MyHash == $MyStoredHash; break;
I'm holding off updating until sure of what to do and that the password hashes will still work, patiently waiting for assistance, thanks. 
Comments
Do you know why the current code doesn't work? Did mybb change their hashing scheme?
It could be helpful to submit a pull request over on GitHub.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
it is not really wise design to put a password through a hash algorithm twice even with a salt. You only increase the chance of collision. Well that is what mybb has done evidently, though a newer version of mybb seem to be more like the core code.
grep is your friend.
Ok you should be able to use IPBs hash
What you need to do is use Mysql to make a conversion. First backup your database. You probably want to put your site under maint.
Then update the user table
Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb'You might want to try it with a known user first
Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb' AND UserID = [known userid]Then if the login works you can continue.
I recommend adding
$this->Weak = TRUE;to the end ofCheckIPBmethod ofGdn_PasswordHashthis will mean then when these people login they will be converted to a stronger Vanilla hash. In fact you can do that immediately formybbcase.grep is your friend.
Thanks for replies and suggestions.
For active members on our forums such as myself, when looking in the database I can see that the "HashMethod" field is no longer "mybb" and has been converted to a stronger hash (I assume) as it says "Vanilla" and the "Password" fields also look different and are no longer md5 strings.
I would like to test this suggestion of yours @x00 on a known user first, the only problem is, it has been many months since the import/porter from mybb to vanilla and everyone I know has already logged in, so I have no test users I can try this with and I have no old backups from that long ago.
I assume I can probably use mysql and create a testuser with a "HashMethod" field of "mybb" and a known/created test password hashed for the "Password" field?
Any more help that you can give me regarding this would be greatly appreciated, such as the specific "INSERT INTO GDN_User ..." sql command or maybe some php code that could help create this testuser?
We currenly have 1338 members that have not logged in recently who have the "HashMethod" = "mybb" and
329 members that have logged in recently who have the "HashMethod" = "Vanilla".
(Assuming I'm eventually successful at updating all the users to this "ipb" HashMethod... after that I can update to 2.2 like normal and then add
$this->Weak = TRUE;to the end of CheckIPB and then not have to worry about anything related to password hashes?)Create a user through dashboard, then update the
PasswordandHashMethodfield of that user only in the database only so this is a known mybb hash. Test this is correct by signing in under it.Then try
Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb' AND UserID = [known userid](substituting[known userid]for the UserID of that user).if these succeed try logging out an in again for this user.
Report back findings.
grep is your friend.
I understand but how do I get a known mybb hash to put in the Password field? How do I create-recreate the mybb hashed password?
I know it's md5(md5($salt).md5($password)) but what would i use for $salt? Nothing/Anything?
Hmm sorry, I was unable to edit my previous comment. I posted too quickly.
I created this file below to reproduce mybb password hashing scheme and echo out the required "Password" field hash:
https://gist.github.com/anonymous/4f8337b94ffc459d9431
I was able to login and this works for reproducing mybb users but the UPDATE sql command didn't work, it did update the row(testuser) and change mybb to ipb and it did change "Password" field but logging into forums was unsuccessful.
This is the sql command I ran:
UPDATE GDN_User SET PASSWORD = CONCAT( TRIM( RIGHT( PASSWORD , LENGTH( PASSWORD ) -32 ) ) , '$', TRIM( LEFT( PASSWORD , 32 ) ) ) , HashMethod = 'ipb' WHERE HashMethod = 'mybb' AND UserID =1802Thanks again.
Huh just copy one of the existing hashes that you know the password for. I may have made a mistake in my query to I did it in my head.
grep is your friend.
I can see it is not working will need to rack my brain as to why.
grep is your friend.
@x00 Thanks
I've downloaded the 2.2 and have been browsing the files, apparently the file class.passwordhash.php NOW uses the corrected mybb codeblock such as I have been manually patching for previous releases. :P Can't believe I didn't notice.
I guess I shall try the upgrade this weekend using this as guide: http://vanillaforums.org/discussion/31153/tutorial-a-fool-proof-way-to-do-a-vanilla-upgrade-from-2-1-to-2-2
I don't know if I should open a new discussion but I was wondering if there are any specific nginx instructions needed for 2.2 as I don't use apache.
This is the vanilla specific configurations currently used:
# Root location location / { try_files $uri $uri/ @forum; } # Rewrite to prettify the URL and hide the ugly PHP stuff location @forum { rewrite ^/(.+)$ /index.php?p=$1 last; } # PHP handler location ~ \.php { try_files $uri =404; include fastcgi_params; #fastcgi_pass php5-fpm-sock; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } # Stop things from executing in the uploads directory location ~* ^/uploads/.*.(html|htm|shtml|php)$ { types { } default_type text/plain; } # Keep nosey people from discivering categories by number location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ { return 404; } # Deny, drop, or internal locations location ~ /\. { access_log off; log_not_found off; deny all; } location ~ ~$ { access_log off; log_not_found off; deny all; } location = /robots.txt { access_log off; log_not_found off; } location ^~ favicon { access_log off; log_not_found off; } location ^~ /conf/ { internal; } # Taking advantage of browser caching for static stuff location ~* \.(js|css|png|jpg|jpeg|gif|ico|eot|woff|ttf|svg)$ { expires max; log_not_found off; } location /plugin/imonline { access_log off; log_not_found off; }Thanks again for help.
There's no need to change your nginx configuration for 2.2