Hi,

I understand that vBulletin hashes the password client-side using javascript. However, when I look at the headers sent by the browser, the plain password is still there, next to the md5 hash. What the heck is going on here?

I'm using the 'live http headers' firefox extension and it tells me that the bottom part of the headers read like:

Content-Type: application/x-www-form-urlencoded
Content-Length: 195
do=login&url=%2Fvbulletin%2F&vb_login_md5password=5d4e049c1dd1f28e22ac940fed008 c2a&vb_login_md5password_utf=5d4e049c1dd1f28e22ac940fe d008c2a&s=&vb_login_username=erikp&vb_login_password=mysupersecretpassword


I need *some* kind of encryption, and since ssl also seems to be a problem, I'm kind of wondering what's going on..

Either, you've modified that part of the template, you've modified the JavaScript that goes behind it, or just that the browser is doing something wonky (trust me, it happens). Clear your cookies/cache and see if it still happens.

The likelyhood of someone actually peering into your data is pretty unlikely.

I did modify some templates but I don't think I modified the login template.. do you know where I can find that part?

I've cleared the cookies, cache, tried IE as well. I didn't touch the javascript at all...

I looked what's going on in the md5hash function that is called on submit, and it looks like this:


function md5hash(input, output_html, output_utf, skip_empty)
{

(..)

if (!skip_empty)
{
// implemented like this to make sure un-updated templates behave as before
input.value = '';
}
}

return true;
}


I checked the skip_empty boolean and it has the value true... what would that mean?