Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 01 Sep 2014, 10:06
xXZarghamXx xXZarghamXx is offline
 
Join Date: Mar 2008
Getting user password in plain text

I need to get user password in plaintext when they change there password.Then i will feed them to a hashing algo for a third party application . In profile.php which variable actually stores the user password in plaintext and its at which point.

I am interested with the start update password part

Is it
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Thanks for the guidance
Reply With Quote
  #2  
Old 01 Sep 2014, 10:40
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
The variable is $vbulletin->GPC['newpassword'].
Hook location profile_updatepassword_start.

Although it's better to save the $vbulletin->GPC['newpassword'] variable in your own variable at profile_updatepassword_start and then use profile_updatepassword_complete to use the variable for your third party application because the password is updated/checked at that point.
Reply With Quote
  #3  
Old 02 Sep 2014, 13:16
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would have to edit template and remove something like onsubmit="md5(...password)...."

Last edited by Scanu; 02 Sep 2014 at 14:29.
Reply With Quote
  #4  
Old 02 Sep 2014, 14:25
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Originally Posted by Scanu View Post
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
Good one, upon sending the form the currentpassword, newpassword and newpasswordconfirm values are being emptied and the only available variables contain MD5 hashes.
Reply With Quote
  #5  
Old 02 Sep 2014, 14:31
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by Scanu View Post
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
That's true, but there are ways to turn it off without editing the javascript. You can define the constant DISABLE_PASSWORD_CLEARING (maybe in config.php) to turn off the feature entirely. If you only want to turn it off for password changes, you can set the variable $show['nopasswordempty'] to 1, maybe at the hook parse_templates, like:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #6  
Old 02 Sep 2014, 14:33
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Then there are 2 possibilities
Edit the 3rd party application to use md5 password or

Remove the md5 javascript function in the template (Update) or using Kevin's way above
and do something like this in php

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #7  
Old 03 Sep 2014, 00:48
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #8  
Old 03 Sep 2014, 09:49
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Originally Posted by Paul M View Post
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy). This way the md5 password will be directly sent to the server and the hacker would gain access, so there's no big difference but yeah it's still better to not send plain text password.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Profile Enhancements Send html OR plain text emails per user phart vBulletin 3.6 Add-ons 3 23 Feb 2007 14:08



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 09:52.

Layout Options | Width: Wide Color: