Author Topic: After changing password or resetpassword no log-in  (Read 11399 times)

0 Members and 1 Guest are viewing this topic.

wwtg

  • Jr. Member
  • **
  • Posts: 2
After changing password or resetpassword no log-in
« on: February 24, 2014, 06:07:37 PM »
I upgraded from version 1.6.8 into 1.6.9
I noticed that the operators can log-in with the 'old' password, but if they update their password, or reset their password,
then it keeps saying "Entered login/password is incorrect"
The same for creating new operators.... The chosen password wont'work either...

I see in the database (MySQL 5.0.90, ) that the generated new vcpassword is much longer and a part of the Username is included...


Is it because of the .htaccess? I have only this
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

because the other instructions gives me internal server error 500.
Run Apache/2.0.58 (FreeBSD) PHP/5.2.8 with Suhosin-Patch mod_ssl/2.0.58 OpenSSL/0.9.7e-p1

Can someone help me?

faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 951
    • Mibew Messenger
Re: After changing password or resetpassword no log-in
« Reply #1 on: February 24, 2014, 09:08:02 PM »
Your problem has nothing to do with .htaccess. You're using obsolete server software, so I suppose that there is something wrong with your crypt PHP function.

I'd recommend you to update your system.

The other way is to simplify the calculate_password_hash function in libs/operator.php, but it will weaken security (not to mention the fact that you'll have to manually patch every new release of Mibew).

falcon

  • Sr. Member
  • ****
  • Posts: 44
Re: After changing password or resetpassword no log-in
« Reply #2 on: February 24, 2014, 10:19:11 PM »
I had exact problem with cookie cleaning + 20 times login tryes and session lost after browser closing.

So, we could not update php beacause of cpanel. New php will cause problems to hosting.
I have solved that problem with this code replacing in libs/operator.php:

Code: [Select]
function calculate_password_hash($login, $password)
{
$hash = '*0';

// if (CRYPT_BLOWFISH == 1) {
if (1 == 2) {
if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) {
$hash = crypt($password, '$2y$08$' . $login);
$hash = crypt($password, '$2y$08$' . $login);
$hash = crypt($password, '$2y$08$' . $login);
}
else {
$hash = crypt($password, '$2a$08$' . $login);
$hash = crypt($password, '$2a$08$' . $login);
$hash = crypt($password, '$2a$08$' . $login);
}
        }

if ( (CRYPT_MD5 == 1) && !strcmp($hash, '*0') ) {
$hash = crypt($password, '$1$' . $login);
}

return strcmp($hash, '*0') ? $hash : md5($password);
}

I have disabled CRYPT_BLOWFISH and regenerated password hashes (changed/restored passwords to equal ones)
You can fully comment/delete first block from blowfish to md5 if because crypt generates different values.

Maybe, you can find better solution (:
« Last Edit: February 24, 2014, 10:22:56 PM by falcon »

wwtg

  • Jr. Member
  • **
  • Posts: 2
Re: After changing password or resetpassword no log-in
« Reply #3 on: February 25, 2014, 10:34:30 AM »
I installed the old version again, only on a different location and behind htacces password.
The new version runs on the website. Only changing passwords I do through the old version.

Its for the time beeing...
I have to change a lot before I use a new server with the latest php and FreeBSD.

But thank you for your help and suggestions.

faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 951
    • Mibew Messenger
Re: After changing password or resetpassword no log-in
« Reply #4 on: February 25, 2014, 10:43:07 AM »
Just want you to know that the algorithm of password hashing was changed in version 1.6.6...