Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
neralex
The Mouse Is Extension Of Arm


Joined: Aug 22, 2007
Posts: 1325
Location: Germany

PostPosted: Sun Sep 21, 2014 10:07 am Reply with quote

I'm struggling on a strange issue with my staccess entries. I tried to add a new admin password for the HTTPAuth login. After storing the crypted PWs into the staccess i can't login with this new user. The strange thing on it, it works with all older users/pws without a hit but only the new entry will not work. All paths and file-permissions are correct. All entries are stored correctly in the database.

So i have tried to ad manually a user like: test:a1b2c3 but now way, the entry will not work.... any ideas?

It seems this issue exists since the change of the php version from 5.3.x to 5.4.x but i have no clue why it will not more work.

Edit: It seems the issue is based in the crypt() function while storing in /admin/modules/nukesentinell/ABAuthEditSave.php

php Code:
$xpassword_md5 = md5($xpassword);

$xpassword_crypt = crypt($xpassword);

Only registered users can see links on this board! Get registered or login!

Quote:
salt

An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results.


I have tried to change this line to check what is happen if i'm adding a salt parameter. (this only a test, please do not add it in a running website!)

php Code:
$xpassword_crypt = crypt($xpassword, 'N$');


Now it works but the result of the crypted PW is very short. So i have it changed back. The other strange thing is that my php 5.3.x and 5.5.x local wamp installations create salts lile $1$ and my server creates salts like $6$ and the crypted PWs are also much longer (60 chars).


Last edited by neralex on Mon Sep 22, 2014 3:38 am; edited 1 time in total 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Sep 21, 2014 8:10 pm Reply with quote

I haven't seen that, but I usually generate the password here: Only registered users can see links on this board! Get registered or login!

Then manually add it, and haven't had problems.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
neralex
PostPosted: Mon Sep 22, 2014 3:36 am Reply with quote

Thanks but that will not help because the hashed string is to short.

After hours of reading and updating my server on php 5.5.17 i found the cause of that. Since php 5.3.7 on the most servers crypt() supports more than 1 algorithm, so it will be used the best available. In my case crypt() is using CRYPT_SHA512. But it seems the HTTPAuth module of apache2 get some trouble with new stronger algorithms.

So i have tried to build manually a random created salt before hashing with cypt() in order to get a salt like CRYPT_MD5.

php Code:
  function generateRandomString($length = 15) {

return substr(sha1(rand()), 0, $length);
}
$salt = '$1$' . generateRandomString() . '$';
$xpassword_crypt = crypt($xpassword, $salt);


Tada! It works! But i have not a clue if is it a bug in the HTTPAuth module with the long hashes by CRYPT_BLOWFISH, CRYPT_SHA256 and CRYPT_SHA512... anyway it works again for me.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©