Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[phpBB 3] passwords with special characters not recognized #221

Open
burner1024 opened this issue Mar 22, 2019 · 6 comments
Open

[phpBB 3] passwords with special characters not recognized #221

burner1024 opened this issue Mar 22, 2019 · 6 comments

Comments

@burner1024
Copy link

Any user having an & (ampersand) in their password is not able to login after merge.

Apparently phpBB replaces it with & prior to hashing and storing in the database. So "test1&test1" password is in fact "test1&test1" as far as phpBB is concerned. But loginconvert.php uses pristine password for comparison, and the result is that the hashes never match.
Same for other special characters.

This lets such users log in:

 function check_phpbb3($password, $user)
 {
        // The bcrypt hash is at least 60 chars and is used in phpBB 3.1
-       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt($password, $user['passwordconvert']))
+       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt(htmlspecialchars($password), $user['passwordconvert']))

This is true for phpBB 3.2.4, not sure about other releases.
Also not sure whether it's a bug or a feature of phpBB, but I think Merge System should handle this either way, even it requires some ugly version detection.
@veryard
Copy link
Contributor

veryard commented Mar 22, 2019

Interesting, if it's not a case for the older versions of phpBB we could do a check against the phpbb_config tables and pull the phpBB version from there, config_name = version would return the phpBB version.

Ideally someone would need to figure what version have it and what versions don't.

@euantorano
Copy link
Member

That's weird, I wouldn't have expected them to be escaping entities in passwords at all! We'll definitely have to do some research, I'll look at their code and see if I can see where they hash passwords and how long its been that way.

@euantorano
Copy link
Member

From a quick glance at phpBB's current source code, I can't see anything obvious that would be converting characters to HTML entities, but I'm not too familiar with their code.

@burner1024
Copy link
Author

I dumped passwords/driver/bcrypt.php to find this out.

@euantorano
Copy link
Member

Ah, weird. I looked at pretty much everything except the individual drivers. Thanks @burner1024.

@hirolee88
Copy link

mark

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@euantorano @burner1024 @hirolee88 @veryard