2007-07-06, 02:39 AM
I downloaded MyBB 1.2.8 when it was released, and this was in inc/functions_user.php:
This seemed *very* bad, so I redownloaded MyBB 1.2.8 to fine this:
Also, what is the point of using md5() on the password and then passing it to salt_password()? Why not just do md5(md5($salt).md5($password));
I'm not sure if this is a large security risk, because I know that's how phpBB does it. [However, phpBB has not been known to be as secure as MyBB.]
Clint
/**
* Salts a password based on a supplied salt.
*
* @param string The md5()'ed password.
* @param string The salt.
* @return string The password hash.
*/
function salt_password($password, $salt)
{
return md5($password);
}
This seemed *very* bad, so I redownloaded MyBB 1.2.8 to fine this:
/**
* Salts a password based on a supplied salt.
*
* @param string The md5()'ed password.
* @param string The salt.
* @return string The password hash.
*/
function salt_password($password, $salt)
{
return md5(md5($salt).$password);
}
Also, what is the point of using md5() on the password and then passing it to salt_password()? Why not just do md5(md5($salt).md5($password));
I'm not sure if this is a large security risk, because I know that's how phpBB does it. [However, phpBB has not been known to be as secure as MyBB.]
Clint