Closed CarlWSoderstrom closed 5 years ago
This issue seems to be related to a bug when trying to save user information and not intending to change the password (ie. passwords area is left blank). The way the code works, it creates a hash nonetheless and replaces the password hash on the database.
I have issued PR #69 that addresses this issue. You can see the changes there.
Fortunately (unfortately security-wise) the password is a simple, unsalted MD5 hash, so you can hash the old password and put it back in the DB. After applying the PR, you will not have those issues anymore.
phpnuget 4.0.0.2, using text database not MySQL. I've done this on both Ubuntu 16.04 and Ubuntu 18.04.
I set up a new phpnuget server on Ubuntu 18.04 with PHP 7.2. It seemed to work at first - I could log in as 'admin' using the password I set. However, when someone else tried to log in as admin they could not. There is no error recorded in the logs, nor does any error appear in the UI about the password being incorrect (even if the wrong username and password are used, there's still no feedback about this).
Eventually they re-ran the setup.php script, and were thereafter able to log in.
I logged in using the same password they set, and tried changing the password using the web UI. The password as recorded in settings.php did not change, and thereafter I was unable to log in as admin.
I've tried re-running settings.php, but to no avail.
A cookie does get set.
Permissions are wide open to the webserver for modification:
Can we get more logging/feedback about successful or unsuccessful login attempts? How can I troubleshoot this problem further?