Can't log in anymore

[CarlWSoderstrom]

phpnuget 4.0.0.2, using text database not MySQL. I've done this on both Ubuntu 16.04 and Ubuntu 18.04.

I set up a new phpnuget server on Ubuntu 18.04 with PHP 7.2. It seemed to work at first - I could log in as 'admin' using the password I set. However, when someone else tried to log in as admin they could not. There is no error recorded in the logs, nor does any error appear in the UI about the password being incorrect (even if the wrong username and password are used, there's still no feedback about this).

Eventually they re-ran the setup.php script, and were thereafter able to log in.

I logged in using the same password they set, and tried changing the password using the web UI. The password as recorded in settings.php did not change, and thereafter I was unable to log in as admin.

I've tried re-running settings.php, but to no avail.

A cookie does get set.

Permissions are wide open to the webserver for modification:

drwxr-xr-x 12 www-data root 4.0K Nov 16 09:03 ./
drwxr-xr-x  4 root     root 4.0K Apr 20 06:46 ../
drwxr-xr-x  7 www-data root 4.0K Oct  5  2017 api/
drwxr-xr-x  4 www-data root 4.0K Oct  5  2017 assets/
drwxr-xr-x  2 www-data root 4.0K Oct  5  2017 bin/
drwxr-xr-x  2 www-data root 4.0K Oct  5  2017 content/
drwxr-xr-x  4 www-data root 4.0K Oct  5  2017 data/
-rw-r--r--  1 www-data root 1.2K Oct  5  2017 favicon.ico
-rw-r--r--  1 www-data root 1.6K Oct  5  2017 favicon.png
-rw-r--r--  1 www-data root  331 Oct  5  2017 _footer.php
-rw-r--r--  1 www-data root 1.8K Oct  5  2017 _header.php
-rw-r--r--  1 www-data root  11K May 10 10:46 .htaccess
drwxr-xr-x  7 www-data root 4.0K Oct  5  2017 inc/
-rw-r--r--  1 www-data root 4.7K Oct  5  2017 index.php
-rw-r--r--  1 www-data root  11K May 10 10:46 ManagedFusion.Rewriter.txt
-rw-r--r--  1 www-data root  749 Oct  5  2017 _navbar.php
drwxr-xr-x  2 www-data root 4.0K Oct  5  2017 packages/
-rw-r--r--  1 www-data root  137 Oct  5  2017 root.php
drwxr-xr-x  4 www-data root 4.0K Oct  5  2017 scripts/
-rw-r--r--  1 www-data root 1.2K May 10 10:46 settings.php
-rw-r--r--  1 www-data root  881 Oct  5  2017 setup.php
drwxr-xr-x  2 www-data root 4.0K Oct  5  2017 tests/
drwxr-xr-x  2 www-data root 4.0K Oct  5  2017 upload/
-rw-r--r--  1 www-data root 2.6K Oct  5  2017 uploadnupkg.php
-rw-r--r--  1 www-data root  23K May 10 10:46 web.config

$ ls -alhF data/
total 20K
drwxr-xr-x  4 www-data root 4.0K Oct  5  2017 ./
drwxr-xr-x 12 www-data root 4.0K Nov 16 09:03 ../
drwxrwxr-x  3 www-data root 4.0K May 10 10:46 db/
-rw-r--r--  1 www-data root   13 Oct  5  2017 .htaccess
drwxrwxr-x  2 www-data root 4.0K May  4 03:08 packages/

Can we get more logging/feedback about successful or unsuccessful login attempts? How can I troubleshoot this problem further?

[bkraul]

This issue seems to be related to a bug when trying to save user information and not intending to change the password (ie. passwords area is left blank). The way the code works, it creates a hash nonetheless and replaces the password hash on the database.

I have issued PR #69 that addresses this issue. You can see the changes there.

[bkraul]

Fortunately (unfortately security-wise) the password is a simple, unsalted MD5 hash, so you can hash the old password and put it back in the DB. After applying the PR, you will not have those issues anymore.

[bkraul]

You can check out my fork and try out the develop branch, which incorporates all the PRs I have submitted here.