Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> v2.4 RN Issues
Author Message
crypto
Worker
Worker



Joined: Aug 02, 2004
Posts: 165

PostPosted: Fri Nov 25, 2011 4:28 pm Reply with quote

There is a bug regarding a password recovery:

Background:
- Password policy in place = Current policy says that password has to be at least 10 characters long.

However, when you will recover password via Your_Account&op=pass_lost function, it doesn't follow the password length policy. Instead it will generate weaker password. How to fix this?
 
View user's profile Send private message
Palbin
Site Admin



Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Fri Nov 25, 2011 5:48 pm Reply with quote

If you are concerned about this open Your_Account/includes/functions.php and find the YA_MakePass() function.
Code:


function YA_MakePass() {
   global $ya_config;
   $makepass = '';
   $strs = 'abc2def3ghj4kmn5opq6rst7uvw8xyz9';
   for ($x = 0; $x < 8; ++$x) {
      mt_srand((double)microtime() * 1000000);
      $str[$x] = substr($strs, mt_rand(0, strlen($strs) - 1) , 1);
      $makepass = $makepass . $str[$x];
   }
   return ($makepass);
}

Replace with this"
Code:


function YA_MakePass() {
   global $ya_config;
   $makepass = '';
   $strs = 'abc2def3ghj4kmn5opq6rst7uvw8xyz9';
   $passLength = ($ya_config['pass_min'] <= 8) ? 8 : $ya_config['pass_min'];
   for ($x = 0; $x < $passLength; ++$x) {
      mt_srand((double)microtime() * 1000000);
      $str[$x] = substr($strs, mt_rand(0, strlen($strs) - 1) , 1);
      $makepass = $makepass . $str[$x];
   }
   return ($makepass);
}

I made it so that it will not produce a password less than 8 characters. If you want to go strictly by the minimum password length then just this:
Code:


for ($x = 0; $x < $ya_config['pass_min']; ++$x) {

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
crypto







PostPosted: Sat Nov 26, 2011 5:53 am Reply with quote

Thanks, this works fine!

There should be added also more characters to enhance security e.g.

Code:
$strs = 'aAbBcC2dDeEfF3gGhHjJ4kKmMnN5oOpPqQ6rRsStT7uUvVwW8xXyYzZ9!@#$%-+';


Can you add this fix to the next Ravennuke version so everybody can benefit this by default?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> v2.4 RN Issues

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©