search

mybb / merge-system

The MyBB Merge System allows for easy merging of an existing forum (be it MyBB or another forum software) into a MyBB 1.8.x forum.
Other
34 stars 33 forks source link

[phpBB 3] passwords with special characters not recognized #221

Open burner1024 opened 5 years ago

burner1024 commented 5 years ago

Any user having an & (ampersand) in their password is not able to login after merge.

Apparently phpBB replaces it with \& prior to hashing and storing in the database. So "test1&test1" password is in fact "test1\&test1" as far as phpBB is concerned. But loginconvert.php uses pristine password for comparison, and the result is that the hashes never match. Same for other special characters.

This lets such users log in:

 function check_phpbb3($password, $user)
 {
        // The bcrypt hash is at least 60 chars and is used in phpBB 3.1
-       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt($password, $user['passwordconvert']))
+       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt(htmlspecialchars($password), $user['passwordconvert']))

This is true for phpBB 3.2.4, not sure about other releases. Also not sure whether it's a bug or a feature of phpBB, but I think Merge System should handle this either way, even it requires some ugly version detection.

veryard commented 5 years ago

Interesting, if it's not a case for the older versions of phpBB we could do a check against the phpbb_config tables and pull the phpBB version from there, config_name = version would return the phpBB version.

Ideally someone would need to figure what version have it and what versions don't.

euantorano commented 5 years ago

That's weird, I wouldn't have expected them to be escaping entities in passwords at all! We'll definitely have to do some research, I'll look at their code and see if I can see where they hash passwords and how long its been that way.

euantorano commented 5 years ago

From a quick glance at phpBB's current source code, I can't see anything obvious that would be converting characters to HTML entities, but I'm not too familiar with their code.

burner1024 commented 5 years ago

I dumped passwords/driver/bcrypt.php to find this out.

euantorano commented 5 years ago

Ah, weird. I looked at pretty much everything except the individual drivers. Thanks @burner1024.

hirolee88 commented 11 months ago

mark