MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > MyBB 1.2.8 -- Two Versions? MyBB Merge Fix [phpbb3->mybb]
Full Version: MyBB 1.2.8 -- Two Versions? MyBB Merge Fix [phpbb3->mybb]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

ClintH

2007-07-06, 02:39 AM
I downloaded MyBB 1.2.8 when it was released, and this was in inc/functions_user.php:
/**
 * Salts a password based on a supplied salt.
 *
 * @param string The md5()'ed password.
 * @param string The salt.
 * @return string The password hash.
 */
function salt_password($password, $salt)
{
	return md5($password);
}

This seemed *very* bad, so I redownloaded MyBB 1.2.8 to fine this:
/**
 * Salts a password based on a supplied salt.
 *
 * @param string The md5()'ed password.
 * @param string The salt.
 * @return string The password hash.
 */
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

Also, what is the point of using md5() on the password and then passing it to salt_password()? Why not just do md5(md5($salt).md5($password));
I'm not sure if this is a large security risk, because I know that's how phpBB does it. [However, phpBB has not been known to be as secure as MyBB.]


Clint

Dennis Tsang

2007-07-06, 08:29 AM
I'm not sure what you're trying to get at. The password is md5'ed before it's passed into the function...how is it less safe than md5'ing the password within the function?

Split the MyBB Merge bug into the MyBB Merge forum
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > MyBB 1.2.8 -- Two Versions? MyBB Merge Fix [phpbb3->mybb]