FUDforum: Plugins and Code Hacks » fud_update_user, fud_add

Home » FUDforum Development » Plugins and Code Hacks » fud_update_user, fud_add_user patch (Password was stored as plain text instead of hash)

Show: Today's Messages :: Polls :: Message Navigator

fud_update_user, fud_add_user patch [message #166629]

Wed, 01 February 2012 06:58

NeXuS
Messages: 121
Registered: July 2010
Location: South Korea

Karma: 5

Senior Member
Contributing Core Developer

Here is the patch. Storing the password in SHA1 salted from and generating new salt (better than MD5 without salt).

EDIT: uploaded improved patch

Attachment: fudapi.diff
(Size: 2.24KB, Downloaded 1039 times)

[Updated on: Thu, 02 February 2012 07:35]

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166642 is a reply to message #166629]

Sat, 04 February 2012 08:27

DaveQB

Messages: 109
Registered: January 2006
Location: Sydney

Karma: 0

Senior Member

WOW! What?

Out of the box FUDforum stores passwords as plain text??

Ok looking in the DB for my forum (v3.0.3) the passwords are hashes of some sort and there is a salt column in the users table....but it is NULL for everyone.

So the devs of FUDforum provised a salt table but haven't implemented it and your patch actually uses salt for each user?
Can this patch be applied to an already running forum? How to the existing passwords get along with this patch?

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166643 is a reply to message #166642]

Sat, 04 February 2012 08:32

NeXuS
Messages: 121
Registered: July 2010
Location: South Korea

Karma: 5

Senior Member
Contributing Core Developer

EDIT : FUDforum does not store passwords in plain text.

FUDforum supports 2 authentication models: straight MD5 hashing of password, or SHA1 hashing of (password concatenated with SHA1 hash of salt). If the salt is present, FUD assumes SHA1, otherwise plain MD5.

The fud_update_user and fud_add_user functions (which are intended for integration, and are not directly called by FUDforum) were simply wrongly coded and stored passwords in plaintext (thus login would not work, since it expects an hash). I just made sure that they use the most secure form possible, although it is slightly more expensive (two hashes for every authentication instead of one).

[Updated on: Sat, 04 February 2012 08:41]

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166649 is a reply to message #166643]

Sun, 05 February 2012 06:01

DaveQB

Messages: 109
Registered: January 2006
Location: Sydney

Karma: 0

Senior Member

Umm so this patch is not needed for systems without funcitonal issues and hashed passwords?

It seems my forum is not using salt, so I would like it to. Do I wait for the next update??

Report message to a moderator

Re: fud_update_user, fud_add_user patch [message #166650 is a reply to message #166649]

Sun, 05 February 2012 15:24

NeXuS
Messages: 121
Registered: July 2010
Location: South Korea

Karma: 5

Senior Member
Contributing Core Developer

DaveQB wrote on Sun, 05 February 2012 15:01

Umm so this patch is not needed for systems without funcitonal issues and hashed passwords?

Indeed, it is not needed on a functional forum. It is needed only if you want to manipulate user data via the API.

Quote:

It seems my forum is not using salt, so I would like it to. Do I wait for the next update??

I have not yet a full understanding of the inner workings of FUD, but one of the things I wish to do is have the salt be used by default. Look forward to it in one of the upcoming versions.

Report message to a moderator