PDA

View Full Version : Password to an unhashed table


Exernon
12-19-2008, 01:38 PM
Is it possible to place the exact value of the password given during registration to an unhashed column in a different table?

How to do it?

This code still gives the md5 encryption.
$vbulletin->db->query_write("INSERT INTO custom_table (uid, acct_pass) VALUES (".$db->escape_string($new_uid).", '".$db->escape_string($userinfo['password'])."');How can I store the plain password (upon registration) to a custom table so I can call the original password anytime?

Dismounted
12-20-2008, 02:40 AM
You can't. As long as the user has JS enabled, a password is already MD5-hashed as it reaches the server.

In any case, why would you need a user's password and compromise the safety of your board?

Exernon
12-20-2008, 05:35 AM
I need this so I can integrate my forums with my server application.

My server application uses Sha-1 encryption- if my users register in the forum, their data would be stored on another table of the same database (same with the forum's). Already done this, but the problem is on the password. Since these 2 use different encryption, isn't there anyway I can do this?

Dismounted
12-20-2008, 05:38 AM
You could hack vBulletin so that it uses an SHA hash - that shouldn't be an issue.

Exernon
12-20-2008, 05:48 AM
Other than this, I assume there are no other ways around it?

--------------- Added 1229760950 at 1229760950 ---------------

I saw this.

Although not advised from a security POV, you can set 'DISABLE_PASSWORD_CLEARING' to true in your config.php, and the passwords will be passed to the server unencrypted.

But I can't seem to find it in my config.php (3.7.4).

Dismounted
12-20-2008, 09:17 AM
It is not in there because it is strong not recommended to do so. You can add it yourself - but again, it is strong not recommended to do so.

Exernon
12-20-2008, 10:22 AM
How about this:
https://vborg.vbsupport.ru/showthread.php?t=137188

How can I apply this hack to registration instead of login?

Marco van Herwaarden
12-21-2008, 09:56 AM
It would be much more secure if you simply also provided the SHA1 password and store that.

You could use the attached JS-file for this.