Not Solved [Security] Hashing algorithms
#1
Not Solved
MyBB uses an outdated MD5 hashing algorithm. Should I switch to bcrypt using plugins or not? Is this a major security issue? Also when does Mybb 2 come out?
Reply
#2
Not Solved
Quote:Should I switch to bcrypt using plugins or not?

If your host supports a current version of PHP (>= PHP 5.6), it would be worthwhile - it certainly won't do any harm. I recommend DVZ Hash: https://github.com/dvz/mybb-dvzHash

Quote:Is this a major security issue?

If your hosting is somehow breached or a bad attacker gains access to your database in some way, it would be possible for them to crack your users' passwords. However, if they breach your hosting, they will likely also gain filesystem access and will circumvent any code that makes their life difficult (eg: they will place code to log passwords in plaintext on login).

A stronger hashing algorithm slows down the process of cracking user passwords should your database become compromised, but is not a silver bullet that will solve all your problems.

Basically: know your threat model.

Quote:Also when does Mybb 2 come out?

We do not give out solid dates for releases, and tend to stick with "when it's ready". At the minute there is some discussion about the future of the project - you can Cath up here: https://community.mybb.com/thread-213361.html
Reply
#3
Not Solved
(2017-11-01, 12:45 PM).m. Wrote: below guidance could be helpful
* MyBB Plugins Explained
* Plugin MyBB Base & Plugin MySql

templates system is used to display required content easily. see templates related guidance

for adding a button to thread page we have to modify showthread related template(s)

breadcrumb is used for easy navigation of the web site / forum
eg. MyBB Community Forums Resources Plugins Plugin Development

see MyBB variables - php cross reference

eval('$sections  = "' . $templates->get('hello_world_template') . '";'); 
in simple words, variable sections value is evaluated through hello_world_template

Thanks for the response! My dilema is that I use MyBB for authentication with a C++ application. Right now I use something insecure and I was wondering if there is any inbuilt API in MyBB which limits login retries?
Reply
#4
Not Solved
(2017-11-05, 12:21 AM)1234filip Wrote:
(2017-11-01, 12:45 PM).m. Wrote: below guidance could be helpful
* MyBB Plugins Explained
* Plugin MyBB Base & Plugin MySql

templates system is used to display required content easily. see templates related guidance

for adding a button to thread page we have to modify showthread related template(s)

breadcrumb is used for easy navigation of the web site / forum
eg. MyBB Community Forums Resources Plugins Plugin Development

see MyBB variables - php cross reference

eval('$sections  = "' . $templates->get('hello_world_template') . '";'); 
in simple words, variable sections value is evaluated through hello_world_template

Thanks for the response! My dilema is that I use MyBB for authentication with a C++ application. Right now I use something insecure and I was wondering if there is any inbuilt API in MyBB which limits login retries?

Hi,

Right now there's no easy API you could access to check login attempts. The number of attempts for a user are stored in the users table, but there's no PHP script inside MyBB that you could call to get the number of attempts or check if there have been too many.
Reply
#5
Not Solved
(2017-11-05, 09:08 AM)Euan T Wrote:
(2017-11-05, 12:21 AM)1234filip Wrote:
(2017-11-01, 12:45 PM).m. Wrote: below guidance could be helpful
* MyBB Plugins Explained
* Plugin MyBB Base & Plugin MySql

templates system is used to display required content easily. see templates related guidance

for adding a button to thread page we have to modify showthread related template(s)

breadcrumb is used for easy navigation of the web site / forum
eg. MyBB Community Forums Resources Plugins Plugin Development

see MyBB variables - php cross reference

eval('$sections  = "' . $templates->get('hello_world_template') . '";'); 
in simple words, variable sections value is evaluated through hello_world_template

Thanks for the response! My dilema is that I use MyBB for authentication with a C++ application. Right now I use something insecure and I was wondering if there is any inbuilt API in MyBB which limits login retries?

Hi,

Right now there's no easy API you could access to check login attempts. The number of attempts for a user are stored in the users table, but there's no PHP script inside MyBB that you could call to get the number of attempts or check if there have been too many.

You should really make a simple API for this. I'm going to make my own but you really should make an official one.
So I'm looking into the login code and I have one issue. If I want to make an API with a desktop application how to use login_attempt_check? As far as I can see it is cookie or session based.
Reply
#6
Not Solved
Yes, the current MyBB 1.x series doesn't have any public API to any o the core functionality at the minute. There have been a few attempts by people to create plugins to provide such functionality in the past, but none have been completed or kept up to date as far as I know. It's certainly something we plan to provide in the future.

Probably the best approach would be to write a plugin that provides logins (doing all of the internal processing in PHP) and returns any required information back to your client application. There is no plugin to do this at the minute as far as I'm aware, so you'd either have to write one yourself or hire somebody to write one unfortunately.
Reply
#7
Not Solved
This user has been denied support. This user has been denied support.
(2017-11-04, 11:31 PM)1234filip Wrote: MyBB uses an outdated MD5 hashing algorithm. Should I switch to bcrypt using plugins or not?

It can be done easily (like, one line change in core easy) but then you're stuck with it forever.

Also you'd have to clean out your backup folder and perhaps old tables in database (if you did any weird stuff or merges in the past) as those still contain the old hashes.

I also have an external script that uses MyBB user authentication, but that checks for a MyBB session cookie first so if you're not already logged into MyBB itself, it won't ask you for a confirmation password either.
Reply
#8
Not Solved
Ok so I switched to Bcrypt using dvzHash and I'm quite happy tbh. But now there's the issue of writing a login script. I'm just wondering where in the member.php it checks for password and username matching? Is there a boolean that sets to true? I can't seem to find that. Or even better which function should i hook to find out if the login was succesful or not?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)