|
Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords. :D
After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database. I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine. The main issue of concern seemed to be "But now the lost-password function won't work!" I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database. I chose MD5 because I'm fond of the concept of "one-way" encryption. Now, no admin can see a member's password. :-) Enjoy! (Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip ) |
Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!
You are a class act CoffeeMugDude. Thank you! -t |
Oops, I thought I had posted this in the VB2 hacks forum :D
BTW, thanks thewitt! |
Hi there,
yes, looks really clean & nice - very impressive! Will install it asap the next days, Thanks a bunch! :) -Tom |
Little mistake?
The changes in admin/session.php line 109 must be changed in your instructions.htm. Then it's working fine for me. |
Quote:
Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc. |
Another one.
In member.php the whole "start update password" routine isn't handled. Find Code:
// validate old passwordCode:
// validate old passwordCode:
$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");Code:
$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'"); |
ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same: 1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do... 2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it... 3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first! 4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!! 5) ignore all line numbers - they refer to vbb 2.0.1! 6) do what Pogo says right above my post... he probably knows what he's talking about :) (but why didn't he complain about the encrypt_all_passwords.php file?) now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't... :D |
btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...
|
hmm
i made some more mistakes... don't do this: when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is) and its still not working 100% so i'll edit this later with more info |
um, i can't fix the last part on my own... maybe someone who knows php can help :)
when you tell it to mail you a password, its supposed to generate one from a list of words and mail that one and store it in the database. it's getting stuck on the easy part - opening the list of words. the instructions say: Quote:
Code:
Warning: fopen("words.txt","r") - No such file or directory in /home/mod-chi/public_html/admin/ppassgen.php on line 29Code:
<?i already tried the following: not putting quotes around the filename putting a full path to the words.txt putting a relative path to words.txt with no success.... |
The full path works fine for me
Code:
function ppassgen($words= "/full/path/to/words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {And don't forget to check the mod panel index.php. I think you have to modify something there too. |
hmm
i might not have put /users/ or whatever at the start of my path, i'll try again... you know what's the most annoying? this file has code in it to detect if the file open failed, but it's not working |
yeah the absolute path to the file works fine...
only problem i have now is when i go to the control panel i have to log in again... dunno if i'm smart enough to figure whats wrong (cookie problem?) i hope the vbulletin dudes put this in the code soon, i hate hacking my board! |
does this work with vb 2.0.3 ?
|
yepp.
|
it seems pogo had some problems
has the install file been updated with the correct details ? |
i have installed this following creamy/pogos changes and it works 100% perfect
thanks |
Hi folks,
I've been on holiday, so this whole thread happened in my absence. Thanks for the feedback. Is anyone still struggling? Would it help if I updated the instructions for 2.0.3 ? |
yeah that would probably help a lot... this is a kick-ass hack so keeping it updated is good :)
do you think there could be a problem somewhere? read my earlier post about it making me login again to get into he control panel - this is still happening. not a big problem but might as well fix it if possible. |
OK, I'll look at updating the hack this evening...
Umm.. Do you mean that when you access your CP, you are asked for your password, although you are cookied for the normal forums? My VB has always behaved that way, but if it's optional, I'd suspect that it relates to cookies |
correct
i think it's supposed to log you in right away if you're cookied... i'm only 99% sure ;) |
Hmm...
I seem to remember reading somewhere about changing the cookie path if your VB path is not your domain. (I.e. "blahblah.com/forums/") I'd fiddle with that. |
my forums are like this:
forums.myserver.com i think you only change the cookie path thing in the control panel if you have server.com/forums1 and server.com/forums2 because then the cookie would be overwritten |
Hello all,
I installed the hack, and I am having a very strange problem. First, let me state that all the passwords are encrypted, and I can login. However, I can not login to the admin! When I put in the correct user name and password, it just refreshes the page. However, if I put in an incorrect password, it tells me that its incorrect. Again, I can login to anyplace on the boards except for the admin... please help!! Thanks! |
I'm having that same exact problem. I'm using the old version of the hack, as I like it not to use dictionary words(not nearly as easy to hack) and it won't let me into the admin CP. Same thing as him, if my password is right, it refreshes the page, if its wrong, it says so...what's with this? :)
|
does anybody know if this is working it's way into vb 2.0.4 (or later) versions???
encrypted passwords are really the only way to go... i'm not sure why this wasn't the original scheme??? |
could Coffeemugdude please post instructions how to de-install this hack
of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ? |
[QUOTE]Originally posted by Raptor
could Coffeemugdude please post instructions how to de-install this hack of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ? |
The whole point of this is so that no-one can find the passwords if they're encrypted. If they could be decrypted, wouldn't that defeat the point? :)
|
Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!
|
Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!
Thanks!! :) Heineken77 |
<font color="red">Heineken77</font> Edit your config.php to be able to see and change passwords.
|
I updated this hack to 2.0.3
I think I covered every password related part of the script. At least I hope so. Now you can: - change your password via usercp - change the password via cp - login during reply or new thread Forgot anything? Please tell me. Please get the words.txt from the old link! |
Hey thank you very much for that bro!!
Just a question. What's the harm if admin can see passwords? Thanks :) |
Quote:
|
hacker Then you are very, very dumb.... ;)
|
Quote:
I have a Cisco pix and a Cisco router for home and I encrypt everything... |
LOL@Bank account ;) hehe
Thanks for the info guys! |
is it at all possible to set this hack up so admin CAN see the passwords but they are still encrypted in the DB ?
and pogo - can i simply overwrite the old version of this hack with your new one ? i take it i dont have to encrypt the passwords again as of course they are already done |
| All times are GMT. The time now is 02:45 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|