FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Plugins and Code Hacks » fud_update_user, fud_add_user patch (Password was stored as plain text instead of hash)
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
fud_update_user, fud_add_user patch [message #166629] Wed, 01 February 2012 01:58 Go to next message
NeXuS is currently offline  NeXuS
Messages: 121
Registered: July 2010
Location: South Korea
Karma: 5
Senior Member
Contributing Core Developer
add to buddy list
ignore all messages by this user
Here is the patch. Storing the password in SHA1 salted from and generating new salt (better than MD5 without salt).

EDIT: uploaded improved patch
  • Attachment: fudapi.diff
    (Size: 2.24KB, Downloaded 388 times)

[Updated on: Thu, 02 February 2012 02:35]

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166642 is a reply to message #166629] Sat, 04 February 2012 03:27 Go to previous messageGo to next message
DaveQB is currently offline  DaveQB   Australia
Messages: 109
Registered: January 2006
Location: Sydney
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user

WOW! What?

Out of the box FUDforum stores passwords as plain text??

Ok looking in the DB for my forum (v3.0.3) the passwords are hashes of some sort and there is a salt column in the users table....but it is NULL for everyone.

So the devs of FUDforum provised a salt table but haven't implemented it and your patch actually uses salt for each user?
Can this patch be applied to an already running forum? How to the existing passwords get along with this patch?


Re: fud_update_user, fud_add_user patch [message #166643 is a reply to message #166642] Sat, 04 February 2012 03:32 Go to previous messageGo to next message
NeXuS is currently offline  NeXuS
Messages: 121
Registered: July 2010
Location: South Korea
Karma: 5
Senior Member
Contributing Core Developer
add to buddy list
ignore all messages by this user
EDIT : FUDforum does not store passwords in plain text.

FUDforum supports 2 authentication models: straight MD5 hashing of password, or SHA1 hashing of (password concatenated with SHA1 hash of salt). If the salt is present, FUD assumes SHA1, otherwise plain MD5.

The fud_update_user and fud_add_user functions (which are intended for integration, and are not directly called by FUDforum) were simply wrongly coded and stored passwords in plaintext (thus login would not work, since it expects an hash). I just made sure that they use the most secure form possible, although it is slightly more expensive (two hashes for every authentication instead of one).

[Updated on: Sat, 04 February 2012 03:41]

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166649 is a reply to message #166643] Sun, 05 February 2012 01:01 Go to previous messageGo to next message
DaveQB is currently offline  DaveQB   Australia
Messages: 109
Registered: January 2006
Location: Sydney
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user

Umm so this patch is not needed for systems without funcitonal issues and hashed passwords?

It seems my forum is not using salt, so I would like it to. Do I wait for the next update??

Re: fud_update_user, fud_add_user patch [message #166650 is a reply to message #166649] Sun, 05 February 2012 10:24 Go to previous messageGo to next message
NeXuS is currently offline  NeXuS
Messages: 121
Registered: July 2010
Location: South Korea
Karma: 5
Senior Member
Contributing Core Developer
add to buddy list
ignore all messages by this user
DaveQB wrote on Sun, 05 February 2012 15:01
Umm so this patch is not needed for systems without funcitonal issues and hashed passwords?


Indeed, it is not needed on a functional forum. It is needed only if you want to manipulate user data via the API.

Quote:

It seems my forum is not using salt, so I would like it to. Do I wait for the next update??


I have not yet a full understanding of the inner workings of FUD, but one of the things I wish to do is have the salt be used by default. Look forward to it in one of the upcoming versions.
Re: fud_update_user, fud_add_user patch [message #166652 is a reply to message #166650] Sun, 05 February 2012 13:45 Go to previous messageGo to next message
DaveQB is currently offline  DaveQB   Australia
Messages: 109
Registered: January 2006
Location: Sydney
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user

Cool. Thanks for that. I look forward to it.

Re: fud_update_user, fud_add_user patch [message #166699 is a reply to message #166652] Sat, 11 February 2012 00:08 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
For future reference, this patch was committed by theonlynexus.
Details @ http://fudforum.svn.sourceforge.net/viewvc/fudforum?view=revision&revis ion=5422
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: How to move/replicate elements to another spot on the page
Next Topic: GLOBALS.php and integration: suggested patch
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Oct 20 21:28:44 EDT 2017

Total time taken to generate the page: 0.00860 seconds