Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Question regarding 2.2 update and mybb passwordhash support

Hi there, I imported our mybb mysql database a while back and I've successfully updated vanilla forums for the last 2 releases, I have however, been patching the vanilla/library/core/class.passwordhash.php file manually, as the mybb code section in that file did not work as is. What must we do in order to keep this working when we upgrade to the new 2.2 update?

Below is the bit of code from that file that does work for mybb along with the original commented code that did not work:
case 'mybb': //$Parts = explode(':', $StoredHash, 2); //$Hash = GetValue(0, $Parts); //$Salt = GetValue(1, $Parts); //$ComputedHash = md5(md5($Salt).$Password); //$Result = $ComputedHash == $Hash; $SaltLength = strlen($StoredHash) - 32; $Salt = trim(substr($StoredHash, -$SaltLength, $SaltLength)); $MyStoredHash = substr($StoredHash, 0, strlen($StoredHash) - $SaltLength); $MyHash = md5(md5($Salt).md5($Password)); $Result = $MyHash == $MyStoredHash; break;

I'm holding off updating until sure of what to do and that the password hashes will still work, patiently waiting for assistance, thanks. :)

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Do you know why the current code doesn't work? Did mybb change their hashing scheme?

    It could be helpful to submit a pull request over on GitHub.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • x00x00 MVP
    edited November 2015

    it is not really wise design to put a password through a hash algorithm twice even with a salt. You only increase the chance of collision. Well that is what mybb has done evidently, though a newer version of mybb seem to be more like the core code.

    grep is your friend.

  • x00x00 MVP
    edited November 2015

    Ok you should be able to use IPBs hash

    What you need to do is use Mysql to make a conversion. First backup your database. You probably want to put your site under maint.

    Then update the user table

    Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb'

    You might want to try it with a known user first

    Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb' AND UserID = [known userid]

    Then if the login works you can continue.

    I recommend adding $this->Weak = TRUE; to the end of CheckIPB method of Gdn_PasswordHash this will mean then when these people login they will be converted to a stronger Vanilla hash. In fact you can do that immediately for mybb case.

    grep is your friend.

  • Thanks for replies and suggestions.

    For active members on our forums such as myself, when looking in the database I can see that the "HashMethod" field is no longer "mybb" and has been converted to a stronger hash (I assume) as it says "Vanilla" and the "Password" fields also look different and are no longer md5 strings.

    I would like to test this suggestion of yours @x00 on a known user first, the only problem is, it has been many months since the import/porter from mybb to vanilla and everyone I know has already logged in, so I have no test users I can try this with and I have no old backups from that long ago.

    I assume I can probably use mysql and create a testuser with a "HashMethod" field of "mybb" and a known/created test password hashed for the "Password" field?

    Any more help that you can give me regarding this would be greatly appreciated, such as the specific "INSERT INTO GDN_User ..." sql command or maybe some php code that could help create this testuser? :)

    We currenly have 1338 members that have not logged in recently who have the "HashMethod" = "mybb" and
    329 members that have logged in recently who have the "HashMethod" = "Vanilla".

    (Assuming I'm eventually successful at updating all the users to this "ipb" HashMethod... after that I can update to 2.2 like normal and then add $this->Weak = TRUE; to the end of CheckIPB and then not have to worry about anything related to password hashes?)

  • Create a user through dashboard, then update the Password and HashMethod field of that user only in the database only so this is a known mybb hash. Test this is correct by signing in under it.

    Then try Update GDN_User Set Password = CONCAT(TRIM(RIGHT(Password, LENGTH(Password) - 32)), '$', TRIM(LEFT(Password, 32))), HashMethod = 'ipb' Where LOWERCASE(HashMethod) ='mybb' AND UserID = [known userid] (substituting [known userid] for the UserID of that user).

    if these succeed try logging out an in again for this user.

    Report back findings.

    grep is your friend.

  • pdqlinuxpdqlinux New
    edited November 2015

    I understand but how do I get a known mybb hash to put in the Password field? How do I create-recreate the mybb hashed password?

    I know it's md5(md5($salt).md5($password)) but what would i use for $salt? Nothing/Anything?

  • Hmm sorry, I was unable to edit my previous comment. I posted too quickly.

    I created this file below to reproduce mybb password hashing scheme and echo out the required "Password" field hash:
    https://gist.github.com/anonymous/4f8337b94ffc459d9431

    I was able to login and this works for reproducing mybb users but the UPDATE sql command didn't work, it did update the row(testuser) and change mybb to ipb and it did change "Password" field but logging into forums was unsuccessful.

    This is the sql command I ran:
    UPDATE GDN_User SET PASSWORD = CONCAT( TRIM( RIGHT( PASSWORD , LENGTH( PASSWORD ) -32 ) ) , '$', TRIM( LEFT( PASSWORD , 32 ) ) ) , HashMethod = 'ipb' WHERE HashMethod = 'mybb' AND UserID =1802

    Thanks again. :)

  • Huh just copy one of the existing hashes that you know the password for. I may have made a mistake in my query to I did it in my head.

    grep is your friend.

  • I can see it is not working will need to rack my brain as to why.

    grep is your friend.

  • @x00 Thanks

  • I've downloaded the 2.2 and have been browsing the files, apparently the file class.passwordhash.php NOW uses the corrected mybb codeblock such as I have been manually patching for previous releases. :P Can't believe I didn't notice.

    I guess I shall try the upgrade this weekend using this as guide: http://vanillaforums.org/discussion/31153/tutorial-a-fool-proof-way-to-do-a-vanilla-upgrade-from-2-1-to-2-2

    I don't know if I should open a new discussion but I was wondering if there are any specific nginx instructions needed for 2.2 as I don't use apache.

    This is the vanilla specific configurations currently used:

    # Root location
     location / {
         try_files $uri $uri/ @forum;
     }
     # Rewrite to prettify the URL and hide the ugly PHP stuff
     location @forum {
         rewrite ^/(.+)$ /index.php?p=$1 last;
     }
     # PHP handler
     location ~ \.php {
         try_files $uri =404;
         include fastcgi_params;
         #fastcgi_pass php5-fpm-sock;
         fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_split_path_info ^(.+\.php)(.*)$;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_intercept_errors on;
     }
     # Stop things from executing in the uploads directory
     location ~* ^/uploads/.*.(html|htm|shtml|php)$ {
         types { }
         default_type text/plain;
     }
     # Keep nosey people from discivering categories by number
     location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ {
         return 404;
     }
     # Deny, drop, or internal locations
     location ~ /\. { access_log off; log_not_found off; deny all; }
     location ~ ~$ { access_log off; log_not_found off; deny all; }
     location = /robots.txt { access_log off; log_not_found off; }
     location ^~ favicon { access_log off; log_not_found off; }
     location ^~ /conf/ { internal; }
     # Taking advantage of browser caching for static stuff
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|eot|woff|ttf|svg)$ {
         expires max;
         log_not_found off;
     }
    
     location /plugin/imonline { access_log off; log_not_found off; }
    

    Thanks again for help. :awesome:

  • R_JR_J Ex-Fanboy Munich Admin

    There's no need to change your nginx configuration for 2.2

Sign In or Register to comment.