PDA

View Full Version : vBulletin SHA1 Workaround?


agallian86
07-10-2007, 12:15 PM
I have a 17 response thread in the general forum that has moved beyond abstractions and I could use some actual coding help.

https://vborg.vbsupport.ru/showthread.php?t=151539

It can all be summarized by noting that I've migrated a forum (SMF) into vBulletin. Now, obviously vBulletin uses an MD5 hash and SMF uses SHA1 hashing. I'm attempting to workaround having users reset their passwords. The basic idea is:

Hmm what you COULD do:
- Check if the MD5 password matches
- If not encrypt the unencrypted password with SHA1, and check the password. If it is a match, re-hash the unencrypted password with MD5 and write to the database so the next attempt will match the normal MD5 hash vBulletin uses.

After some time most SHA1 hashed passwords should be gone.

I currently have my db storing all new accounts in plain-text, though this isn't desired for security purposes, I can now seemingly do the outline above. The only question is...how? I was assuming I need to create a type of vbulletin_sha1.js and modify some php file(s), could anyone point me on the correct path?

Thanks for the assistance guys!

Dismounted
07-11-2007, 07:05 AM
Take a look at this thread I found of vB.com:
http://www.vbulletin.com/forum/showthread.php?t=81103

agallian86
07-11-2007, 01:23 PM
Yeah, thanks.

Trouble is, I had already seen that, and it doesn't really go into that much specifics.

If someone could help me regarding what to do with his importer in order to modify it for my purpose that'd be wonderful.

Else, that thread is lacking the concrete details I need to take it past mere abstraction.

Reeve of shinra
07-11-2007, 02:24 PM
I can't seem to find it at the moment but there was a hack released so that the login.php file uses the SMF authentication method (SHA1) instead of the vbulletin method (MD5 hashes).

It might have been for 3.0 or 3.5 but not much should have changed.

agallian86
07-11-2007, 02:39 PM
Sweet, if that's avialable that's great.

I saw a SMF converter that converted the old SMF passwords which were MD5 to the hash required for vBulletin; and that particular tool was released for vBulletin 3.5 and SMF 1.0 (md5, pre-SHA1 days).

The converter I'm referring to, but hopefully you arent, is located at:
https://vborg.vbsupport.ru/showthread.php?t=97243

Is this what you had in mind, or do you know of a separate tool?

Reeve of shinra
07-11-2007, 03:20 PM
Agallian - yes that was the hack I was referring to.

agallian86
07-11-2007, 03:24 PM
Yeah, I figured as much.

Like I said, that worked for the days when MD5 was used in SMF, so it was just a matter of hashing the pw and salting it. As of SMF 1.1 they updated to the SHA1 hash and it no longer works.

I've done my research before outright begging you guys for help :)

agallian86
07-13-2007, 12:24 PM
Alright, nearly 30 posts (between both threads) and nothing concrete, I guess I'll just have to have users switch their passwords.