search

EVE-SECURE / evedev-kb

Automatically exported from code.google.com/p/evedev-kb
0 stars 0 forks source link

common/login.php crypt() of admin password not working in trunk #29

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Upgrade a pre 2.0 kb to trunk
2. Try to perform an admin login
3. Observe inability to login

What is the expected output? What do you see instead?

Expected to login instead login fails.

What version of the product are you using? On what operating system?

trunk on linux. php 5.2.6

Please provide any additional information below.

This may be a work-in-progress issue but since it's been an issue since 
2009-09-05 with r103 
I thought I'd file a bug against it.

For the time being I've reverted the change to what was in pre 2.x kbs.:

Index: login.php
===========================================================
========
--- login.php   (revision 127)
+++ login.php   (working copy)
@@ -3,7 +3,7 @@

 if (trim($_POST['usrpass']))
 {
-   if ($_POST['usrlogin'] == '' && crypt($_POST['usrpass'],ADMIN_PASSWORD) == 
ADMIN_PASSWORD )
+   if ($_POST['usrlogin'] == '' && $_POST['usrpass'] == ADMIN_PASSWORD)
    {
        session::create(true);

@@ -25,4 +25,4 @@

 $page->setContent($smarty->fetch(get_tpl('user_login')));
 $page->generate();
-?>
\ No newline at end of file
+?>

Original issue reported on code.google.com by twe...@gmail.com on 26 Sep 2009 at 2:57

GoogleCodeExporter commented 9 years ago 
Your fix will unfortunately break every board with an encrypted password. The 
removal 
of non-encrypted logins was not intended to be submitted yet. It should be done 
alongside a script to encrypt stored passwords that are still unencrypted. 
Since it's 
submitted I'll leave this open until a script to fix the password is added.

Original comment by kovellia on 27 Sep 2009 at 1:53

GoogleCodeExporter commented 9 years ago 
yeah I didn't intend to imply that this was a "fix". It was only to show where 
the
issue was and what I needed to do on this install to be able to login to admin 
again.
Thx.

Original comment by twe...@gmail.com on 27 Sep 2009 at 1:57

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r167.

Original comment by kovellia on 31 Oct 2009 at 3:58