Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords. :D

After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

The main issue of concern seemed to be "But now the lost-password function won't work!"

I put in place a random, "pronounceable password generator" (http://www.phpbuilder.com/columns/jesus19990502.php3) I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

I chose MD5 because I'm fond of the concept of "one-way" encryption.

Now, no admin can see a member's password. :-)

Enjoy!

(Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )

Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!

You are a class act CoffeeMugDude.

Thank you!

-t

Oops, I thought I had posted this in the VB2 hacks forum :D

BTW, thanks thewitt!

Hi there,

yes, looks really clean & nice - very impressive!
Will install it asap the next days,

Thanks a bunch! :)
-Tom

Little mistake?

The changes in admin/session.php line 109 must be changed in your instructions.htm.

Then it's working fine for me.

Written by CoffeeMugDude
I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.


After reading through your first sentences this was my first worry....And you nailed it....this sounds awesome!

Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc.

Another one.

In member.php the whole "start update password" routine isn't handled.

Find// validate old password
if ($currentpassword!=$bbuserinfo[password]) {and replace it with// validate old password
if (md5($currentpassword)!=$bbuserinfo[password]) {Then find$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");and replace it with$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");

ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same:

1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do...

2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it...

3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first!

4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!!

5) ignore all line numbers - they refer to vbb 2.0.1!

6) do what Pogo says right above my post... he probably knows what he's talking about :) (but why didn't he complain about the encrypt_all_passwords.php file?)

now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't... :D

btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...

hmm
i made some more mistakes... don't do this:

when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is)

and its still not working 100% so i'll edit this later with more info

um, i can't fix the last part on my own... maybe someone who knows php can help :)

when you tell it to mail you a password, its supposed to generate one from a list of words and mail that one and store it in the database. it's getting stuck on the easy part - opening the list of words.
the instructions say:

Save the files "ppassgen.php", "encrypt_all_passwords.php", and "words.txt" to your VB "admin" directory.

You can use any word list to generate your random passwords, I used my system's /usr/dict/words. Just be sure to save your wordlist to "words.txt" in your "admin" directory.


well i did that, and i checked the chmod incase it matters, but even at 777 it doesn't work. i get this error instead:


Warning: fopen("words.txt","r") - No such file or directory in /home/mod-chi/public_html/admin/ppassgen.php on line 29

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38
(repeating forever)


the code in the first part of ppassgen.php is:


<?
/*
* function ppassgen()
* parameters:
* $words = the name of the file w/ the words (one per line)
* or and array of words
* $min = the minimum number of words per password
* $max = the maximum number of words per password
* $cutoff = the minimum number of characters per word
* $sep = separator for the words in the password
*/

function ppassgen($words= "words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {


// This is here for cases when we email a password from the admin control panel


if(is_array($words)) {
/* if we have passed and array of words, use it */
$word_arr = "words";
/*
while(list($k,$v) = each(${$word_arr})) {
echo "$k $v<BR>";
}
*/
} else {
/* read the external file into an array */
$fp = fopen($words, "r"); <---------------------------- LINE 29

if (!fp) {
echo "[ERROR}: Could not open file $words<BR>\n";
exit;
} else {
/* assuming words of up to 127 characters */
$word_arr = "ext_arr";
while(!feof($fp)) { <---------------------------- LINE 37
$tword = trim(fgets($fp,128)); <------------------- LINE 38


/* check for minimum length and for exclusion of numbers */
if ((strlen($tword) >= $cut_off) && !ereg( "[0-9]",$tword)) {
$ext_arr[] = strtolower($tword);
}
}
fclose($fp);
}
}




i already tried the following:
not putting quotes around the filename
putting a full path to the words.txt
putting a relative path to words.txt

with no success....

The full path works fine for mefunction ppassgen($words= "/full/path/to/words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {Yeah, I should have complained about the wrong encrypt_all_pass... file.
And don't forget to check the mod panel index.php. I think you have to modify something there too.

hmm
i might not have put /users/ or whatever at the start of my path, i'll try again...
you know what's the most annoying? this file has code in it to detect if the file open failed, but it's not working

yeah the absolute path to the file works fine...
only problem i have now is when i go to the control panel i have to log in again... dunno if i'm smart enough to figure whats wrong (cookie problem?)
i hope the vbulletin dudes put this in the code soon, i hate hacking my board!

does this work with vb 2.0.3 ?

yepp.

it seems pogo had some problems

has the install file been updated with the correct details ?

i have installed this following creamy/pogos changes and it works 100% perfect

thanks

Hi folks,

I've been on holiday, so this whole thread happened in my absence. Thanks for the feedback. Is anyone still struggling? Would it help if I updated the instructions for 2.0.3 ?

yeah that would probably help a lot... this is a kick-ass hack so keeping it updated is good :)
do you think there could be a problem somewhere? read my earlier post about it making me login again to get into he control panel - this is still happening. not a big problem but might as well fix it if possible.

OK, I'll look at updating the hack this evening...

Umm.. Do you mean that when you access your CP, you are asked for your password, although you are cookied for the normal forums?

My VB has always behaved that way, but if it's optional, I'd suspect that it relates to cookies

correct
i think it's supposed to log you in right away if you're cookied... i'm only 99% sure ;)

Hmm...

I seem to remember reading somewhere about changing the cookie path if your VB path is not your domain. (I.e. "blahblah.com/forums/") I'd fiddle with that.

my forums are like this:
forums.myserver.com
i think you only change the cookie path thing in the control panel if you have server.com/forums1 and server.com/forums2 because then the cookie would be overwritten

Hello all,

I installed the hack, and I am having a very strange problem. First, let me state that all the passwords are encrypted, and I can login.

However, I can not login to the admin! When I put in the correct user name and password, it just refreshes the page. However, if I put in an incorrect password, it tells me that its incorrect.

Again, I can login to anyplace on the boards except for the admin... please help!!

Thanks!

I'm having that same exact problem. I'm using the old version of the hack, as I like it not to use dictionary words(not nearly as easy to hack) and it won't let me into the admin CP. Same thing as him, if my password is right, it refreshes the page, if its wrong, it says so...what's with this? :)

does anybody know if this is working it's way into vb 2.0.4 (or later) versions???

encrypted passwords are really the only way to go... i'm not sure why this wasn't the original scheme???

could Coffeemugdude please post instructions how to de-install this hack

of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ?

[QUOTE]Originally posted by Raptor
could Coffeemugdude please post instructions how to de-install this hack

of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ?

The whole point of this is so that no-one can find the passwords if they're encrypted. If they could be decrypted, wouldn't that defeat the point? :)

Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!

Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!

Thanks!! :)
Heineken77

<font color="red">Heineken77</font> Edit your config.php to be able to see and change passwords.

I updated this hack to 2.0.3

I think I covered every password related part of the script. At least I hope so.

Now you can:
- change your password via usercp
- change the password via cp
- login during reply or new thread

Forgot anything? Please tell me.

Please get the words.txt from the old link!

Hey thank you very much for that bro!!

Just a question. What's the harm if admin can see passwords?

Thanks :)

Originally posted by Heineken77
Hey thank you very much for that bro!!

Just a question. What's the harm if admin can see passwords?

Thanks :)

I wouldn't feel confortable if the admin can see my passwords. What is some passwords are the same as my banking accounts, etc?

hacker Then you are very, very dumb.... ;)

Originally posted by Pogo
hacker Then you are very, very dumb.... ;)

Of course not, but if someone has access to the account, from there, he can snoop around and you will never know what info you have left around. There are people who use the same pwds simply because there are too many to remember.

I have a Cisco pix and a Cisco router for home and I encrypt everything...

LOL@Bank account ;) hehe

Thanks for the info guys!

is it at all possible to set this hack up so admin CAN see the passwords but they are still encrypted in the DB ?

and pogo - can i simply overwrite the old version of this hack with your new one ?

i take it i dont have to encrypt the passwords again as of course they are already done

i think the sessions changes are the wrong way around ?

Is there a way to upgrade to vb2.2.0 ?

There has been a description posted here for another MD5 hack : https://vborg.vbsupport.ru/showthread.php?s=&threadid=32000

done :)

how to posted in the above link