PDA

View Full Version : [release vb2] Database Password Encryption


dabean
01 Jun 2001, 02:37
Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

kicks
01 Jun 2001, 05:03
I'll have to check this out, but it sounds very interesting :)

MrLister
01 Jun 2001, 14:20
this is auctually really good. it would be a lot better if vBulletin came with this. I hate people that just use phpMyAdmin and look at your passwords.

rebby
01 Jun 2001, 15:47
sweet!!! :D

Freddie Bingham
01 Jun 2001, 15:49
We will consider switching to encrypted passwords in the future.

rebby
01 Jun 2001, 15:57
Originally posted by freddie
We will consider switching to encrypted passwords in the future. please do... plain text passwords is one of the only things that i don't like about vb.

MrLister
01 Jun 2001, 17:25
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.

kicks
01 Jun 2001, 18:56
Originally posted by mrlister
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.

heh, you too? :)

kdog316
03 Jun 2001, 05:14
dabean can you explain exactly to me how i do this part

ALTER TABLE user ADD encryptedpass SMALLINT DEFAULT '0' not null
CREATE TABLE passgen (requesthash char(32) NOT NULL, userid int(10) unsigned DEFAULT '0' NOT NULL, requestedtime int(10) unsigned DEFAULT '0' NOT NULL)

:confused:

tubedogg
03 Jun 2001, 05:24
Just a suggestion - stick your instructions and this file into a zip and put it up instead of just your text file. It's MySQL made easy. :D

Rename this file to dbencrypt.php, stick it in your admin directory and go to it in a browser - login like you would to your Admin CP and then it'll do the queries and link you to your Admin CP.

kdog316
03 Jun 2001, 05:48
does the dbencrypt.php do all the table altering and replacing of the other php files for me

dabean
03 Jun 2001, 15:04
Updated: (15:05 BST)

Improvements:
- Database update script, delete it after using it. Thanks tubedogg but i'd already writen my own to go with this improved version.
- Encypted passwords option at registration

Bug fixes:
- Members can no longer follow a password regeneration link more than once.

kdog316
04 Jun 2001, 05:00
i ran the encyption file but i dont see any make password encrypted field on registering

dabean
04 Jun 2001, 05:11
As the text file "password_encryption.txt" contained in the zip states all the installer does it make the database changes for you. You still have to modify the code and templates by following the instructions in the file.

kdog316
04 Jun 2001, 23:36
ok something wrong is going on here when ever i edit my member.php file the way you say i get this error when i try to access my change password, edit options or any thing else that has to do with the user profile and this is the error

Fatal error: Call to undefined function: getuserinfo() in /home/photo/public_html/tmbps/member.php on line 101

and here is line 101 on member.php


$bbuserinfo=getuserinfo($userid);

dabean
05 Jun 2001, 00:04
hmm, you've obviously made a mistake in altering the code.

the following lines should exist starting at line 47.


if ($action=="login") {
include("./global.php");
if (isset($username)) {


if these lines do exist then have another look at precise structure of the alterations you made.

If you'd made any changes to global.php or admin\functions.php as part of any other hacks you have added you may also want to double check them.

kdog316
05 Jun 2001, 00:17
there at line 42 right after

// ############################### start login ###############################

here is what the code looks like for that section tell me if anything needs to be switched


if ($action=="login") {
include("./global.php");
if (isset($username)) {
// get userid for given username
if ($user=$DB_site->query_first("SELECT userid,username,password,cookieuser,encryptedpass FROM user WHERE username='".addslashes(htmlspecialchars($username))."'")) {
// secure passwords
if ($user[encryptedpass]==1) {
if ($user[password]!=md5($password)) { // check secure password
eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
exit;
}
} else {
if ($user[password]!=$password) { // check standard password
eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
exit;
}
}
$userid=$user[userid];
} else { // invalid username entered
eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
exit;
} // end secure passwords
$userid=$user[userid];
} else { // invalid username entered
eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
exit;
}

if ($user['cookieuser']==1) {
vbsetcookie("bbuserid",$user['userid']);
vbsetcookie("bbpassword",md5($user['password']));
}

$DB_site->query("DELETE FROM session WHERE sessionhash='".addslashes($session[dbsessionhash])."'");

$session['sessionhash']=md5(uniqid(microtime()));
$session['dbsessionhash']=$session['sessionhash'];
$DB_site->query("INSERT INTO session (sessionhash,userid,host,useragent,lastactivity,styleid) VALUES ('".addslashes($session['sessionhash'])."','$userid','".addslashes($session['host'])."','".addslashes($session['useragent'])."','".time()."','$session[styleid]')");
vbsetcookie("sessionhash",$session['sessionhash'],0);
$username = $user['username'];
}

$url=ereg_replace("sessionhash=[a-z0-9]{32}&","",$url);
$url=ereg_replace("\\?sessionhash=[a-z0-9]{32}","",$url);
$url=ereg_replace("s=[a-z0-9]{32}&","",$url);
$url=ereg_replace("\\?s=[a-z0-9]{32}","",$url);

if ($url!="" and $url!="index.php" and $url!=$HTTP_REFERER) {

if (strpos($url,"?")>0) {
$url.="&s=$session[dbsessionhash]";
} else {
$url.="?s=$session[dbsessionhash]";
}
//header("Location: $url");

$url = str_replace("\"", "", $url);
eval("standardredirect(\"".gettemplate("redirect_login")."\",\"$url\");");
} else {
$bbuserinfo=getuserinfo($userid);
eval("standardredirect(\"".gettemplate("redirect_login")."\",\"index.php?s=$session[dbsessionhash]\");");
}

dabean
05 Jun 2001, 00:30
hmm you've repeated the same block of code twice.


} // end secure passwords
$userid=$user[userid];
} else { // invalid username entered
eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
exit;
}


should be changed to

} // end secure passwords

kdog316
05 Jun 2001, 00:47
now i am getting this erorr
Parse error: parse error in /home/photo/public_html/tmbps/member.php on line 1370

and here are lines 1366-1370

eval("standarderror(\"".gettemplate("error_invalidsecureid")."\");");
}
}

? >

withput the space between the ? and the > of course

dabean
05 Jun 2001, 01:13
okay take a look at

// ############################### start secure email password ###############################
if ($action=="securepw") {


check that ?> doesn't appear above it.

kdog316
05 Jun 2001, 01:22
it wasnt even there let me see what happens when i add it

kdog316
05 Jun 2001, 01:26
i put it in but it still comes up with the erorr and with the line number of with ? > in it also this ? > is not above the security e-mail

dabean
05 Jun 2001, 01:47
hmm not sure exactly where you have gone wrong then.

rebby
05 Jun 2001, 18:42
in your instructions you have:replace
$users=$DB_site->query("SELECT username,email,password FROM user

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid

with this the email password feature fails.

this change will fix it: replace
$users=$DB_site->query("SELECT username,email,password

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid

rebby
05 Jun 2001, 19:43
this works great with the exception of in the user cp... the Secure password storage is not selected to yes or no by default and even if you select yes, it does nothing to the db... :confused:

it is encrypting passwords for new users taht select to have encrypted passwords from the start though (they can't unencrypted them like you noted though).

dabean
05 Jun 2001, 20:16
Find

if ($action=="editoptions") {
$templatesused = "modifyoptions_maxposts,modifyoptions_styleset,modifyoptions_stylecell,usercpnav, modifyoptions";
include("./global.php");
// do modify profile form

if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
show_nopermission();
}


now after that block add

// secure passwords
if ($bbuserinfo[encryptedpass]) {
$securepasswordchecked="checked";
$securepasswordnotchecked="";
} else {
$securepasswordchecked="";
$securepasswordnotchecked="checked";
}
// end secure passwords


find

if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
show_nopermission();
}

$adminemail=iif($allowmail=="yes",1,0);


change to


if ($bbuserinfo[userid]==0 or $permissions['canmodifyprofile']==0) {
show_nopermission();
}
// secure passwords
$cryptpassword=iif($securepassword=="yes",1,0);
// end secure passwords
$adminemail=iif($allowmail=="yes",1,0);


now find

//delete cookies if cookie user is off
if ($cookieuser==0) {
vbsetcookie("bbuserid","");
vbsetcookie("bbpassword","");
}


and after it add

// secure passwords
if ($bbuserinfo[encryptedpass]==1) {
// md5 hash password & store todo
$cryptpassword=1;
} else {
//
if ($cryptpassword==1) {
$DB_site->query("UPDATE user SET password='".addslashes(md5($bbuserinfo[password]))."' WHERE userid='$bbuserinfo[userid]'");
// set new hashed cookie
vbsetcookie("bbpassword",md5(md5($bbuserinfo[password])));
}
}
// end secure passwords


find

$DB_site->query("UPDATE user
SET ".$updatestyles."adminemail='$adminemail',
showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
nosessionhash='$nosessionhash'
WHERE userid='$bbuserinfo[userid]'");


and change the line to

$DB_site->query("UPDATE user
SET ".$updatestyles."adminemail='$adminemail',
showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
nosessionhash='$nosessionhash', encryptedpass='$cryptpassword'
WHERE userid='$bbuserinfo[userid]'");


now after

if ($newpassword!=$newpasswordconfirm) {
eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
exit;
}


add

// secure passwords
if ($bbuserinfo[encryptedpass]==1) {
$newpassword=md5($newpassword);
}
// end secure passwords


Alternativly download the updated zip file that now contains these additions that i forgot to paste into the orginal file.

rebby
05 Jun 2001, 20:20
what file is that for??? member.php???

dabean
05 Jun 2001, 20:21
member.php

rebby
05 Jun 2001, 20:23
Originally posted by dabean
member.php thanx... i'll give that a go and let you know.. :)

rebby
05 Jun 2001, 20:34
it now encrypts the password (like it should) however the bullet in the user cp does not reflect this...

rebby
05 Jun 2001, 20:35
Originally posted by rebby
it now encrypts the password (like it should) however the bullet in the user cp does not reflect this... never mind... i missed a block... :D sorry...

chrispadfield
11 Jun 2001, 00:13
Originally posted by mrlister
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.

I know what you mean however even if the passwords are set as standard to be encrypted (and i am sure it will be an option anyway) you can't trust the person operating the VB as they could easily hack it not to use encrypted passwords. Any password you use should really be unique or there is a chance someone could use it.

Lord Satan
15 Jun 2001, 10:09
Am I to understand that anyone can see anyone's password without the encryption?

What other security holes are there in vBB?

chrispadfield
15 Jun 2001, 10:14
Originally posted by Lord Satan
Am I to understand that anyone can see anyone's password without the encryption?

What other security holes are there in vBB?

clearly you don't understand. Only the admin can see anyone's (who has registered at their site's) password. Why would you expect any different. If you pass information to a site you have to expect them to be able to look at it if they want to.

and it is VB not vBB :)

rebby
15 Jun 2001, 13:58
Originally posted by chrispadfield





clearly you don't understand. Only the admin can see anyone's (who has registered at their site's) password. Why would you expect any different. If you pass information to a site you have to expect them to be able to look at it if they want to.



and it is VB not vBB :) actually that is not true. anybody w/access to the sql server can. if the server is comprimised... well, i won't point out the obvious....

atrl
21 Jun 2001, 16:35
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in /home/atrl/public_html/forums/member.php on line 139 is the error i get what do i do?

dabean
21 Jun 2001, 18:32
from the php manual "parse error, expecting `T_STRING' or `T_VARIABLE' ..." Generally that type of error is caused by the echo function, how ever as my code fragment doesn't use this particular function it is probibaly some other hack or modification you've made.

http://www.php.net/manual/en/function.echo.php Read the User Contributed Notes.

jmcneese
28 Jun 2001, 11:21
this is indeed very cool, and i have set it up on my site. one caveat, though.

should a user ever decide to go back to a non-encrypted password, this is not provided for. there of course is the option to select 'no' in the user template, but this has no effect on the stored password in the database. i may just be ignorant, but i don't know of a way to un-MD5 a password hash.

any ideas? otherwise i'll just change the template and remove the 'no' option for encrypted passwords, stating that it's an irreversable option.

thewitt
28 Jun 2001, 13:23
Though I have not looked at this particular hack, MD5 is a hashed-asymetric encryption that is not reversable.

You cannot take the MD5 hash and turn it back into the plain text password.

-t

rebby
28 Jun 2001, 13:56
Originally posted by thewitt
Though I have not looked at this particular hack, MD5 is a hashed-asymetric encryption that is not reversable.

You cannot take the MD5 hash and turn it back into the plain text password.

-t true... the only way to do this would be to prompt for the password, store it in a temporary variable, verify that it is correct, and then change the db if it is... you will have to use the temp var though cause like thewitt said you can't revert an md5 hash...

dabean
28 Jun 2001, 18:19
I had orginally planned on improving the hack to allow users to revert to plain text passwords, but forgot to post exactly how to do it. Yes md5 is indeed non-reversable but you can allways prompt for a new password. If anyone really wants the exact code to do this then I can post it.

jmcneese
28 Jun 2001, 18:25
yes, do post the code. i'm to lazy to figure it out myself. :D

dabean
28 Jun 2001, 20:26
first all you need to fix a little bug in hack.

In member.php Find

// validate old password
if ($currentpassword!=$bbuserinfo[password]) {
eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
exit;
}


above it add

// secure password mod - encrypt password
if ($bbuserinfo[encryptedpass]==1) {
$currentpassword=md5($currentpassword);
} // end secure password mod



now for the actual improvement.

File: member.php

Find...

if ($newpassword!=$newpasswordconfirm) {
eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
exit;
}

// secure passwords
if ($bbuserinfo[encryptedpass]==1) {
$newpassword=md5($newpassword);
}
// end secure passwords


replace it with

if ($newpassword!=$newpasswordconfirm) {
eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
exit;
}

// secure passwords
if ($encryption=="off" && $bbuserinfo[encryptedpass]==1) {
$DB_site->query("UPDATE user SET encryptedpass=0 WHERE userid='$bbuserinfo[userid]'");
} else {
if ($bbuserinfo[encryptedpass]==1) {
$newpassword=md5($newpassword);
}
}
// end secure passwords



Find

// secure passwords
if ($bbuserinfo[encryptedpass]==1) {
// md5 hash password & store todo
$cryptpassword=1;
$urltoforward=""
} else {


Replace with

// secure passwords
if ($bbuserinfo[encryptedpass]==1 && $cryptpassword==0) {
// md5 hash password & store todo
$cryptpassword=1;
$downgradepass=1;
} else {


Find

} else {
$goto="usercp.php?s=$session[sessionhash]";
}


replace with

} else { // secure passwords
if($downgradepass!=1) {
$goto="usercp.php?s=$session[sessionhash]";
} else {
$goto="member.php?s=$session[sessionhash]&action=editpassword&encryption=off";
}
} // end secure passwords


now for the templates

template modifypassword
below
<input type="hidden" name="s" value="$session[sessionhash]">

add
<input type="hidden" name="encryption" value="$encryption">

webhost
15 Jul 2001, 16:05
Is there anyway you can post a updated version of this hack in your first post of the thread. I saw where the last time you edited it was on the 5th I believe but I have seen on your last reply that you made changes on the 28th. Also does your zip also have Kevin's file in it?

dabean
15 Jul 2001, 16:34
Okay I've altered the zip to include the previous modifications and there is/was a table altering script included previously and currently so Kevin's file is no longer needed.

webhost
15 Jul 2001, 16:42
thanks

DarkReaper
18 Jul 2001, 08:00
Damn that took a while! finallty finished though and it works great, woo hoo! :D

rebby
18 Jul 2001, 15:02
Originally posted by DarkReaper
Damn that took a while! finallty finished though and it works great, woo hoo! :D yes, this hack is very slick... i can't wait until this is in the default install of vb...

rebby
31 Jul 2001, 15:46
i just upgraded to 2.0.3 and forgot about doing this hack :eek:

what changes might i need???

dabean
31 Jul 2001, 15:50
Not looked at 2.0.3 yet but nearly the whole hack would need reapplying. I'd guess.

rebby
31 Jul 2001, 16:14
i'm getting some errors but i may have made a typo. checking that now... i will let you know how things work for me.

rebby
31 Jul 2001, 16:36
it appears that i do NOT have a typo... what i'm getting is "The document contained no data."
when attempting to change my options in the user cp.. any ideas???

rebby
31 Jul 2001, 16:38
Originally posted by rebby
it appears that i do NOT have a typo... what i'm getting is "The document contained no data."
when attempting to change my options in the user cp.. any ideas??? i also get this when clicking change avatar.

rebby
31 Jul 2001, 17:06
the problem was w/the modifyoptions template...

Ruth
05 Aug 2001, 03:00
i'm not positive about this, but with this hack forgot pass template will not work, so users can't get their passwords emailed to them.

and with many registered users, i am not prepared to get emails asking ...what is my password?

dabean
05 Aug 2001, 13:38
Originally posted by Ruth
i'm not positive about this, but with this hack forgot pass template will not work, so users can't get their passwords emailed to them.

and with many registered users, i am not prepared to get emails asking ...what is my password?

This is not a problem with this hack as the password lookup functions are replaced with a automatic password regenerator should the password be encrypted.

Firstly the code checks to see if the password has been encypted if it has then a email is sent the account holder (valid email addresses are required for this feature to work, but vBulletin can check the validity at registration so its not that much of a problem).

Overview

Account holder requests a password lookup.
The account holder checks their email like they would for a normal password lookup. But this time they get a link to follow.
After following the link there new password is generated (does not use a wordlist to stop dictionary brute force attacks) and emailed to them. Or you could/can hack the template to display it on screen if you so wish.


The reason for the middle step in process is to prevent people typing in email addresses of their friends for fun and causing there password to get changed.

DarkReaper
08 Sep 2001, 20:28
I have this installed on 2.0.3 but now I can't get into my Admin CP. If the password is wrong it says it is, but if its right it just refreshes the page. Help!

DarkReaper
13 Sep 2001, 02:49
Hello???

Has anyone gotten this to work on vB 2.0.3??

dabean
13 Sep 2001, 03:07
Works fine with 2.0.3 recheck you've modified the files correctly.

DarkReaper
14 Sep 2001, 21:12
I just redid everything, and it works almost perfectly. When registering, the user gets an error saying an error has occured and an email has been dispatched...blah blah. Here's the email:


Database error in vBulletin: Invalid SQL: INSERT INTO userfield (userid,field5,field6,field7,field1,field2,field3,field4) VALUES (52,'','','','','','','')
mysql error: Duplicate entry '52' for key 1
mysql error number: 1062
Date: Friday 14th of September 2001 09:04:44 PM
Script: /forums/register.php
Referer: http://www.mysite.org/forums/register.php


However, it creates the user just fine, and they can login and everything. Here's the relevent section of code from member.php:


// encypted password modification
$DB_site->query("INSERT INTO user (userid,username,password,email,".$newstylefield."parentemail,coppauser,homepage,icq,aim,yahoo,signature,adminemail,showemail,invi sible,usertitle,joindate,cookieuser,daysprune,lastvisit,lastactivity,usergroupid ,timezoneoffset,emailnotification,receivepm,emailonpm,options,birthday,maxposts, startofweek,ipaddress,pmpopup,referrerid,nosessionhash,encryptedpass) VALUES (NULL,'".addslashes(htmlspecialchars($username))."','".addslashes($password)."','".addslashes(htmlspecialchars($email))."',".$newstyleval."'".addslashes(htmlspecialchars($parentemail))."','$coppauser','".addslashes(htmlspecialchars($homepage))."','".addslashes(htmlspecialchars($icq))."','".addslashes(htmlspecialchars($aim))."','".addslashes(htmlspecialchars($yahoo))."','".addslashes($signature)."','$adminemail','$showemail','$invisible','".addslashes($usertitle)."','".time()."','$cookieuser','".addslashes($prunedays)."','".time()."','".time()."','$newusergroupid','".addslashes($timezoneoffset)."','$emailnotification','$receivepm','$emailonpm','$options','".addslashes($birthday)."','".addslashes($umaxposts)."','".addslashes($startofweek)."','".addslashes($ipaddress)."','$pmpopup','".addslashes($testreferrerid['userid'])."','$nosessionhash','$encryptedpass')");
// end secure password modification
$userid=$DB_site->insert_id();

// insert custom user fields
$DB_site->query("INSERT INTO userfield $userfieldsnames VALUES ($userid$userfields)");


What's going on here?

dabean
14 Sep 2001, 22:05
mysql error: Duplicate entry '52' for key 1

Okay this error is nothing to do with this hack but is more a problem of having entries in userfield table that basically shouldn't exist. I'm going to presume that you deleted user 52 at some point in the past but didn't remove the matching record from the userfield table.

DarkReaper
15 Sep 2001, 14:58
I guess I didn't fully understand the way vB works with users:). I had reverted to a backup of the 'user' table but left userfield as it was. There was a one user difference...that was the problem :)