HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

users' password not working after a fresh import from bbPress forum

I've imported bbpress forum via Porter tool.

Everything looks like ok but user passwords.

user passwords are the same in mysql field when I compared them with previous forum.

Any one of the user including admin users can not login with their passwords in bbPress forum after migrating into Vanilla forum.

is it related with hash algorithm used in Vanilla?

is there an extra step after migration to be able use migrated passwords?


Vanilla 2021.012 version

porter 2.5

imported from bbpress2

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    That's not possible if passwords are saved securely in the former system.

    Passwords aren't saved in the database, only a "comparison value" that has been calculated when the password has been changed by the user the last time. As a result, the old password cannot be recalculated to the comparison value that Vanilla uses.

    I suggest to create a dismissable message which directs to a discussion which explains reasons for the change and what's new. In that discussion you have to tell people that they need to reset their passwords due to the system change

  • x00x00 MVP
    edited November 2021

    I believe bbpress uses wordpress hashes which uses a version of phppass

    vanilla also uses phppass however thsi doesn't guarantee that passwords are portable it depends on what hash method is used, if blowfish is used for instance it might not be.


    In Gdn_User table in the database what is HashMethod is used for these users? Does the Password fields have prefix of $P$ or $H$?

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    I thought Vanilla passwords are additionally salted...

  • R_JR_J Ex-Fanboy Munich Admin

    But I'm too lazy to check that 😉

  • LincLinc Detroit Admin
    edited November 2021

    Vanilla is capable of migrating some passwords. It does this by updating the hash method as each user logs in for the first time on the Vanilla instance.

    The bbPress 2 porter should be capable of migrating passwords.

    I suggest making a new user with a shareable / fake password on the bbPress2 site. The complexity of the password is irrelevant; it can just be a simple word. If you share what this sample password is (plain text) along with the Password value that comes into Vanilla when you do the migration (the hash) AND what the HashMethod field says (both are on the User table), we can try troubleshooting this.

    I'll warn you it can be quite time consuming to do this. If you need the migration quickly, I'd do as RJ suggests and recommend users reset their passwords. However, it'd be nice to get it working again in the Porter for other folks if it's indeed broken.

  • Thank you guys for your responses.

    wordpress user password in plain text is : Test7111! and $P$BR4eCL0l1RY3JUgp2QLpuzLCpYUJ/61

    after migration in vanilla forum db: it's shown the same $P$BR4eCL0l1RY3JUgp2QLpuzLCpYUJ/61 with hash method Vanilla


    later I've created a user test1611-1 while sso connection is done

    in wordpress value:12345678 and $P$BagzqEv.q6kZLkNIYlaqb2FNtZ73E71

    in vanilla 2ea6fd7beef3eb145fe46b8772ca3efb with hash method Random



    thank you again. Vanilla Cloud connections made me confused a bit but seeing you guys responding really relieved me.

  • it would be useful to know maybe:

    from wordpress site: when I try to login it gives this error:

    State cookie is required.
    ## /home/r00aq26qjfrc/public_html/plugins/jsconnect/class.jsconnect.plugin.php(1412)
    #0 /home/r00aq26qjfrc/public_html/plugins/jsconnect/class.jsconnect.plugin.php(503): JsConnectPlugin->handleConnectDataV3(Object(EntryController), Object(Gdn_Form))
    #1 [internal function]: JsConnectPlugin->base_connectData_handler(Object(EntryController), Array)
    #2 /home/r00aq26qjfrc/public_html/library/Garden/EventManager.php(282): call_user_func_array(Array, Array)
    #3 /home/r00aq26qjfrc/public_html/library/core/class.pluginmanager.php(812): Garden\EventManager->fire('Base_ConnectDat...', Object(EntryController), Array)
    #4 /home/r00aq26qjfrc/public_html/library/core/class.pluginmanager.php(775): Gdn_PluginManager->callEventHandler(Object(EntryController), 'Base', 'ConnectData', 'Handler')
    #5 /home/r00aq26qjfrc/public_html/library/core/class.pluggable.php(137): Gdn_PluginManager->callEventHandlers(Object(EntryController), 'EntryController', 'ConnectData')
    #6 /home/r00aq26qjfrc/public_html/applications/dashboard/controllers/class.entrycontroller.php(452): Gdn_Pluggable->fireEvent('ConnectData')
    #7 /home/r00aq26qjfrc/public_html/library/core/class.dispatcher.php(933): EntryController->connect('jsconnect')
    #8 /home/r00aq26qjfrc/public_html/library/core/class.dispatcher.php(335): Gdn_Dispatcher->dispatchController(Object(Gdn_Request), Array)
    #9 /home/r00aq26qjfrc/public_html/index.php(29): Gdn_Dispatcher->dispatch()
    #10 {main}
    
    
    

    Debug Trace

    InfoCould not find file 'custom_default.css' in folder ''.NoticeUndefined index: internal
    
    #0 /home/r00aq26qjfrc/public_html/library/core/class.router.php(70): gdn_ErrorHandler(8, 'Undefined index...', '/home/r00aq26qj...', 70, Array)
    #1 /home/r00aq26qjfrc/public_html/library/core/class.theme.php(92): Gdn_Router->getRoute('DefaultControll...')
    #2 /home/r00aq26qjfrc/public_html/library/Vanilla/Web/TwigEnhancer.php(300): Gdn_Theme::breadcrumbs(Array, true, Array)
    #3 /home/r00aq26qjfrc/public_html/cache/twig/33/33ce86f808d8eaab79d17cea2833220d28169647cce3cf362f6c9913bba2ce7a.php(59): Vanilla\Web\TwigEnhancer->renderBreadcrumbs()
    #4 /home/r00aq26qjfrc/public_html/vendor/twig/twig/src/Template.php(405): __TwigTemplate_bbf1e3e74c1d6c2f6f4fdb7d25bb27adad24e069bd10df46ba6169eb482e6fa5->doDisplay(Array, Array)
    #5 /home/r00aq26qjfrc/public_html/vendor/twig/twig/src/Template.php(378): Twig\Template->displayWithErrorHandling(Array, Array)
    #6 /home/r00aq26qjfrc/public_html/vendor/twig/twig/src/Template.php(390): Twig\Template->display(Array)
    #7 /home/r00aq26qjfrc/public_html/vendor/twig/twig/src/TemplateWrapper.php(45): Twig\Template->render(Array, Array)
    #8 /home/r00aq26qjfrc/public_html/vendor/twig/twig/src/Environment.php(318): Twig\TemplateWrapper->render(Array)
    #9 /home/r00aq26qjfrc/public_html/library/Vanilla/Web/TwigRenderTrait.php(44): Twig\Environment->render('/addons/themes/...', Array)
    #10 /home/r00aq26qjfrc/public_html/library/Vanilla/Web/MasterViewRenderer.php(141): Vanilla\Web\MasterViewRenderer->renderTwig('/addons/themes/...', Array)
    #11 /home/r00aq26qjfrc/public_html/library/Vanilla/Web/MasterViewRenderer.php(104): Vanilla\Web\MasterViewRenderer->renderThemeContentView(Array)
    #12 /home/r00aq26qjfrc/public_html/library/core/class.controller.php(2219): Vanilla\Web\MasterViewRenderer->renderGdnController(Object(EntryController))
    #13 /home/r00aq26qjfrc/public_html/library/core/class.controller.php(1595): Gdn_Controller->renderMaster()
    #14 /home/r00aq26qjfrc/public_html/library/core/class.pluggable.php(217): Gdn_Controller->xRender('<div class="Con...')
    #15 /home/r00aq26qjfrc/public_html/applications/dashboard/controllers/class.entrycontroller.php(458): Gdn_Pluggable->__call('render', Array)
    #16 /home/r00aq26qjfrc/public_html/library/core/class.dispatcher.php(933): EntryController->connect('jsconnect')
    #17 /home/r00aq26qjfrc/public_html/library/core/class.dispatcher.php(335): Gdn_Dispatcher->dispatchController(Object(Gdn_Request), Array)
    #18 /home/r00aq26qjfrc/public_html/index.php(29): Gdn_Dispatcher->dispatch()
    #19 {main}
    


  • LincLinc Detroit Admin
    edited November 2021

    The $P$ prefix to the hashes confirms you're using the standard PHPass hash implementation. I believe the next character B is the number of rounds in hexidecimal (that's 11 in decimal or "normal" numbers).

    Vanilla previously used PHPass which means that password hash would have worked as-is. However, I believe it now uses the standard password_hash() function (whose hashes start with $2y$10$ by default).

    So I think this is a case of the bbPress exporter assuming the old Vanilla 2.x implementation of passwords which is no longer the case.

    Try setting the HashMethod for that user to phpass and see if you can log in.

    If that works, you can safely update all users to that HashMethod and you should be clear. That would also be a simple fix I can make to the Porter.

    If not, let me know and we can try digging deeper.

  • LincLinc Detroit Admin
    edited November 2021

    in vanilla 2ea6fd7beef3eb145fe46b8772ca3efb with hash method Random

    This means the password has been disabled because the account is attached to SSO.

    If you use SSO for an account, the work we're doing here is irrelevant because it's authenticating against the other site, not the Vanilla database.

    To be clear: Updating the HashMethod on that record would be useless because it now has a gibberish password to disallow direct login.

  • I think it will still be completable with the phppass passwords, as that would be needed for update. So Vanilla should work has the hash method so long as internally the phppass options are transportable.


    However I agree if using SSO, you don't need to worry about Password authentication.

    grep is your friend.

  • I've already tried changing hash method phpass. Unfortunately it didn't work out. while testing I've disconnected SSO.

    Linc said my problem is a bit related "security bug bounty program".

    I'm looking for a community solution to mitigate that program.

    thanks

    Bulent

  • LincLinc Detroit Admin
    edited November 2021

    Linc said my problem is a bit related "security bug bounty program".

    I said no such thing. You are worrying about the HackerOne message on the boards and I've been trying to explain it's unrelated, and you keep asking more about it instead. Just ignore the damn thing.

  • Linc, sorry if I misunderstood you.

    But it's not only a message to ignore. From wordpress users can login to wp but can not join to forum via SSO. it's still asking sign in.


    when I try to sign in it shows this:


    thanks

    Bulent

  • x00x00 MVP
    edited November 2021

    The hash method would be Vanilla not phppass.

    phppass is lower level but not used to select the hash method. Blowfish encryption is sometime used by phppass and this can affect portability.

    If you are using SSO then just go with that.

    grep is your friend.

  • x00x00 MVP
    edited November 2021

    The issue relates to connect data being received from wordpress. In decoding the JSON Web Token (https://jwt.io/) somethign is goign wrong.

    grep is your friend.

  • x00x00 MVP
    edited November 2021

    I believe it is related tot the CSRF cookie.You won't get the exact line the bug occurs be the exception happen within a try catch. However based on a on expernce it would be 1407 [$user, $state] = $jsc->validateResponse($jwt, $this->cookie->get($this->getCSRFCookieName()));

    grep is your friend.

  • x00x00 MVP
    edited November 2021

    What pluign are you using in wordpress for jsconnect and when was it updated?

    grep is your friend.

  • I'm using Vanilla Forum plugin

    • Version:
    • 1.3.1
    •  Last updated:
    • 1 year ago
    •  Active installations:
    • 400+
    •  Tested up to:
    • 5.3.10 (my wp version is 5.8.2)

    thanks

Sign In or Register to comment.