Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Blind-Summit
Hangin' Around


Joined: Mar 27, 2006
Posts: 27

PostPosted: Sat Apr 01, 2006 7:16 am Reply with quote

I have had troubles changing my password. I was logged in as an admin, but my user just wouldn't login. God knows what changed, but my site has been working fine until today. I started seeing the GFX check, yet I had set this to 0 for no graphics, and confirmed it was working by outputting the value in my main-menu block.

Anyway - so i tried to reset my password and all was ok again. I have now tried to set it back to my usual password and this contains a "." and a ">" and when i go to my user menu -> user info and change the password - it thinks that the passwords do not match. I realise sometimes you can slip up, but i typed them about 4 times and it still said that they mismatch? What gives
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Apr 01, 2006 7:42 am Reply with quote

still using the same block?
a gfx check doesnt suddenly goes on or off Smile
and password lenght set somewhere?
 
View user's profile Send private message
Blind-Summit
PostPosted: Sat Apr 01, 2006 8:49 am Reply with quote

I have a block called block-main.menu.php

the ONLY thing I altered was the nuke sentinel setting to turn the admin auth to off because a few of them needed to setup new passwords. I hate how it's plaintext and that you can't just copy the md5 hash from their user account over to the admin account in the DB. That's what i did to create new authors on the site so why does the password have to be plainetext.

Anyway I copied the graphic check section from the raven login block to this main-menu module, and that has stopped the graphi check from appreaing (since the config file is set to 0) but I still can't login. I can login as an admin, and I can see in the DB that my password hash is identical to the user password hash - so I can only guess that something was gone terribly wrong.
 
hitwalker
PostPosted: Sat Apr 01, 2006 8:51 am Reply with quote

well generate it in phpmyadmin again..
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 8:57 am Reply with quote

So if I copy the user's hash from prefix_users to prefix_ whatever the sentinel bit is - then I don't need the plaintext bit?
 
hitwalker
PostPosted: Sat Apr 01, 2006 9:02 am Reply with quote

listen...if you installed nuke with same admin username and pass you can just grab the md5 passfrom the authors table.
check with yours in the user table if they are the same.
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 9:12 am Reply with quote

Yeah - I already checked that. It doesn't let me login. I can go in fine as an admin, but not as a user. When I reset my password to and get the abc123def type pass e-mailed to me - then it works fine. But I tried to change my pass back to what it used to be here:

Image

it simple says that they do not match

Image

Whilst my block is old and was from the standard phpNuke type setup, the Your_Account index.php was a default ravenscript one. Can you guys test that and see if you have a . or a > or < in your password if it will let you change them?
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 9:27 am Reply with quote

Also just used the admin panel to make a new user with the same password that I want to set for my account. Again it's identical in the database - but I just can't login with it.

So much for using hard passwords!
 
hitwalker
PostPosted: Sat Apr 01, 2006 9:50 am Reply with quote

try cleaning your computer internet history,including cookies etc...
then try again,if all fails let someone else have a look.
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 11:02 am Reply with quote

yeah - i dumped everything, saved passwords, saved form details, cookies, history, and downloaded files / cached content.

I'm sure it's a code issue and not the above because I can login fine with a normal text password - but it's just screwed on the user login with a "hardcore" password

it's 8 chars so it's within the length - but the fact that the your account / your info section thinks the passwords are different - leads me to think that the symbols I use are effecting the checking process
 
hitwalker
PostPosted: Sat Apr 01, 2006 11:04 am Reply with quote

Symbols ?
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 11:09 am Reply with quote

< > . etc
 
hitwalker
PostPosted: Sat Apr 01, 2006 11:15 am Reply with quote

thats not smart
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 11:18 am Reply with quote

to use in a password? well maybe now - but it had been ok before, and I had used the same one for nuke 7.4 and 7.6 so why should it be different now!??!

I can just use a text / numerical pass - but symbols are better still


Can you give it a go on your site - just try changing your pass and adding say a < or > to it and see if it thinks they are different - and if that's ok - if you can login still
 
hitwalker
PostPosted: Sat Apr 01, 2006 11:23 am Reply with quote

lol...im not gonna change anything...
i never understand why people have to use these weird symbols,you could easely use 6vb6wyy , or aqzpftcmk, but why <.&*^%kaching!#>
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 11:27 am Reply with quote

true - but i'm more concerned with why it worked before, and not now - and also, why it's ok for my admin password still?

Register on my site and have a go ?
 
hitwalker
PostPosted: Sat Apr 01, 2006 12:35 pm Reply with quote

well im not gonna,just change your pass into something deifferent,and without weird symbols..
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 12:43 pm Reply with quote

I found the section of code that's causing the error:

$user_password = htmlspecialchars(stripslashes($user_password));

This wasn't present in 7.4 and I assume it's in place to stop malicious code. The only thing is - I outputted my password after it had removed the special chars - and it was just the same as the $vpass value? so what gives?!



The idea of symbols is just good practice in keeping secure / complex passwords.
 
hitwalker
PostPosted: Sat Apr 01, 2006 1:02 pm Reply with quote

well everything has a reason..
 
Blind-Summit
PostPosted: Sat Apr 01, 2006 1:49 pm Reply with quote

Not being rude - but I really want to try and fix this so if you can save the comments and replace them with some useful code...
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sat Apr 01, 2006 2:20 pm Reply with quote

These should be the only characters that would not work with this function: "&", "<" and ">" . Yes, it IS a security concern and there for a reason. Looks like this changed line came from the 3.1 or 3.2 patches? Anyways, I know it does not sound like a good solution, but we're only talking three characters that you should stay away from.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Blind-Summit
PostPosted: Sat Apr 01, 2006 3:30 pm Reply with quote

I think it must have worked for me in the past on raven nuke because I was using my old index.php file from nuke 7.4 - having said that - when I was testing earlier - that file gave me an error. Anyway - I made the changes back and will use a different password. Funny how it wasn't changed on the admin login?

Anyway - one final thing came up in relation to passwords:

I have already setup my authors by making copies of the users I want as admins into the nuke_authors table. I could then set their admin usernames / passwords to be the same as their normal user logins by just copying the name / password hash from the nuke_users table.

For the sentinel part - this doesn't work as there is a plaintext password and an encrypted pass as well as the MD5 hash - I can't simply copy them over - and apparently they can't get access to the sentinel part to set this up themselves (HTTP Auth is turned off for the moment)

Any ideas?
 
montego
PostPosted: Sun Apr 02, 2006 7:38 am Reply with quote

The plain text password, I believe (I did not code it so am making an assumption), was necessary to work with HTTPAuth/CGIAuth feature. You have to given them their passwords or ask them for what they want them to be. Sorry, that is just how the tool was designed.

Also, you would most certainly NOT want to make your NS password the same as your other ones... (for the paranoid like me).
 
Blind-Summit
PostPosted: Sun Apr 02, 2006 7:51 am Reply with quote

I had to alter my admin (God password) and then let them set their own passwords. Perhaps setting a global login for NS would be better, as you advise.

Thanks for your help Smile
 
montego
PostPosted: Tue Apr 04, 2006 7:42 am Reply with quote

You are most welcome...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©