Hi there,
For the last couple days I've been looking and poking
around MyBB's file and editing this and that. However
when I was looking to edit the registration function,
I couldn't help but notice that what I had partially intended
to change, was not there.
When I go to PhpMyAdmin or MySQL and others, I notice
that everyone's info is comprised of; (UID, Username, Password, Salt, LoginKey,etc---)
I have a couple questions::
1) I've been looking everywhere, where exactly is the md5 function for
passwords. The only time I saw a md5 function used at ALL was for
captcha and when you reset the password. So where exactly is the
function for encrypting, and can I change it? Like say for example if your
current encryption is md5($salt.$pass); could I change it to something
like md5(sha1($pass.salt);?
2) What is your current encryption method? And is it secure? (Obviously
no encryption is secure but, I'm just trying to figure out how secure
this encryption your use is? Because when you hash something multiple
times, the collision theory reduces the amount of possibilities the password
could be. So are you using a single or double or triple or more encryption?)
3) How is the salt determined?
4) What exactly is a "loginkey" and what is it used for?
-Viral.
I believe ./inc/datahandlers/user.php is what you need to look at. The salt is a random 8 character string. The method is this:
$stored_pass = md5(md5($salt).md5($plain_pass));
I don't see why it's necessary to change it though. You'd have a hard time finding the plain text password from that.
Login key is so people can't post this to log you out:
[img]http://yourdomain.com/member.php?action=logout[/img]
The login key is appended to the end so it'll only log you out if you're the one who's logged in as it'll only be loaded then.
Hi there, Matt.
When I went to ./inc/datahandlers/user.php
I found this code:
// MD5 the password
$user['md5password'] = md5($user['password']);
// Generate our salt
$user['salt'] = generate_salt();
// Combine the password and salt
$user['saltedpw'] = salt_password($user['md5password'], $user['salt']);
// Generate the user login key
$user['loginkey'] = generate_loginkey();
I'm sorry to say though I didn't see your php code. Unless that was just an example. ._.
What I don't get though, (I'm sorry I'm a little slow on the uptake sometimes),
is how the encryption is "md5(md5($salt.$pass);" when I see:
"md5($pass); md5($pass.$salt);".??
So the login key, doesn't actually do anything....important, except determine
whether or not the user logging out is right user. So if user 1 logs out, user 2
will not? Or am I getting this wrong?
So, would this be a loginkey thing here:
http://thehallowlife.com/forums/search.p...esults&sid="----------"
Because I presumed that SID="" was just my session ID md5'd. Which contains
my cookies.
-Viral.
Look at the salt_password function in ./inc/functions_user.php:
function salt_password($password, $salt)
{
return md5(md5($salt).$password);
}
$password has been MD5d already, see code in other post, $salt is MD5d here, joined together and MD5d again.
On search.php the sid is the search ID so it knows what results to get. Login key is used like this:
http://community.mybboard.net/member.php?action=logout&logoutkey=073c...ea31
That way it will only log me out when I click this link as the login key is at the end. If there's no login key, or it's wrong, it doesn't log you out.
Matt,
Ohhhhh, I see now.
So, for the password, it would be incredibly hard to brute force,
correct, should someone successfully obtain access to my DB?
Oohhhh. That makes sense. So , let's say I posted a button which
has this appended to it: </a href="http://site.com/forums/member.php?action=logout"><img></a>
Would it log them out, even though this code is on a different site altogether? Or no?
-Viral.
Yeah, it'd be hard to bruteforce because it's an MD5d MD5. They wouldn't be able to run the salt through a rainbow table to get the plaintext password as a rainbow table won't store the MD5d password.
That code on it's own wouldn't log you out, no; copy and paste the logout link on this forum and remove or edit the logoutkey, and it won't log out. It's impossible for you to find out someone's login key to post a link that would actually log them out.
The same goes for things like moderation options, if you could do this:
[img]http://yourdomain.com/moderation.php?action=delete_thread&tid=1[/img]
That would mean I could post that and wait for a mod to visit the thread, and it'd delete the thread. Instead, there's a code at the end:
[img]http://yourdomain.com/moderation.php?action=delete_thread&tid=1&my_post_key=some_random_code_here[/img]
The my_post_code is then checked to make sure the action is authorized.
Ahh, Ok.
Now that's neat. I was wondering was those "my_post_keys" were.
I implemented a IP-logger with referrals. And everyone that posted had
a "&post_key=MD5-hash".
-Viral.
(2010-04-06, 11:17 AM)MattRogowski Wrote: [ -> ]Yeah, it'd be hard to bruteforce because it's an MD5d MD5. They wouldn't be able to run the salt through a rainbow table to get the plaintext password as a rainbow table won't store the MD5d password.
The only way to brute force it would actually be to have a macro setup that tries EVERY single password combination. This would take a very long time if you had number of failed login attempts enabled
