merge-system
merge-system copied to clipboard
mybb
[phpBB 3] passwords with special characters not recognized
Any user having an & (ampersand) in their password is not able to login after merge.
Apparently phpBB replaces it with & prior to hashing and storing in the database. So "test1&test1" password is in fact "test1&test1" as far as phpBB is concerned. But loginconvert.php uses pristine password for comparison, and the result is that the hashes never match. Same for other special characters.
This lets such users log in:
function check_phpbb3($password, $user)
{
// The bcrypt hash is at least 60 chars and is used in phpBB 3.1
- if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt($password, $user['passwordconvert']))
+ if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt(htmlspecialchars($password), $user['passwordconvert']))
This is true for phpBB 3.2.4, not sure about other releases. Also not sure whether it's a bug or a feature of phpBB, but I think Merge System should handle this either way, even it requires some ugly version detection.
Interesting, if it's not a case for the older versions of phpBB we could do a check against the phpbb_config tables and pull the phpBB version from there, config_name = version would return the phpBB version.
Ideally someone would need to figure what version have it and what versions don't.
That's weird, I wouldn't have expected them to be escaping entities in passwords at all! We'll definitely have to do some research, I'll look at their code and see if I can see where they hash passwords and how long its been that way.
From a quick glance at phpBB's current source code, I can't see anything obvious that would be converting characters to HTML entities, but I'm not too familiar with their code.
Ah, weird. I looked at pretty much everything except the individual drivers. Thanks @burner1024.
