vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Turn off MD5'ing of passwords (https://vborg.vbsupport.ru/showthread.php?t=142059)

oO RusH Oo 03-14-2007 05:23 PM
Turn off MD5'ing of passwords
 
Hello everyone, :]

I've had quite a few bots attack my sites recently, either posting a whole stream of adverts, or trying every exploit in the book against my sites.

I'm fed up, so i've decided to do something about it!

Their are a few tools which generate these bots, most of them use dynamic usernames, however i don't belive that they dynamically generate passwords.

Even if they are, i can make a list of e-mail addresses/IP's/common proceedures that these bots use, and use it to block out bots in the future.

So basically i'm making a vBulleting Honeypot - but to prevent ligitimate users from signing up, i've made it very clear in the registration letter that the forum is not real, and if they don't verify their e-mail address their password will be deleted within the hour.

Only problem is, it would take ages to decrypt the md5'd passwords in the database of the bots, and if i have four or five bots a day attack my site, it just isn't realistic...

A much better idea is for vBulletin to just compair plaintext passwords, and i could scan through the mySQL DB and spot any similarities that way.

I know older versions of vBulletin didn't use MD5, but reverting back to this is too complicated for me :P

Could anyone give me any pointers?

Cheers guys,

~ John

ConqSoft 03-14-2007 05:56 PM
You should still be able to scan through the database to spot similarities, even when they're encrypted, right? They're all encrypted the same way.

oO RusH Oo 03-14-2007 06:59 PM
Yup, that's true... but if vBulletin ever decide to change their salt or instead of using md5 use sha1 or something, my data will be useless.

Surely taking features away form the forum would be easy...?

Or if not, couldn't you save all input passwords used to log in into a file on the server?

I dunno, like, "vb_login_password" mailto:admin@website.com or something?

I know nothing about php - i was really hoping someone here would know what to do.

Marco van Herwaarden 03-15-2007 07:15 AM
Quote:
Originally Posted by ConqSoft (Post 1203480)
You should still be able to scan through the database to spot similarities, even when they're encrypted, right? They're all encrypted the same way.
Not true, each user has a Salt that is used to encrypt the password.

To answer the original question, you can add the following to your config.php to get the plaintext password. This is not adviced on a production board!!

define('DISABLE_PASSWORD_CLEARING', true);

oO RusH Oo 03-15-2007 08:16 AM
Thank you very much mate, this is exactly what i was looking for!

I'd also second that this would be a really really bad thing to do on a proper forum.
To get into the admin control panel you need a password - you can't use the MD5 hash like you can in a forum.
For this reason it's vitally important that you make sure you encrypt all passwords. Not doing so is probibly the biggest security mistermeaner that you can possibly do, second only to posting your ftp details into the welcome page :P

Wait, are you sure this is the right code?

I just did a search with it and the comment next to it is:

Code:
// you may define this if you don't want the password in the login box to be zapped onsubmit; good for integration

$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates

Are you sure this will prevent hashing of the password...?

Kungfu 03-15-2007 06:03 PM
Quote:
Originally Posted by oO RusH Oo (Post 1203963)

$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates[/CODE]


Are you sure this will prevent hashing of the password...?
$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0;

this is just seeing if DISABLE_PASSWORD_CLEARING is true, if it is it returns 1, if not it returns a 0.

what Marco said was to make it true
define('DISABLE_PASSWORD_CLEARING', true);

oO RusH Oo 03-16-2007 06:55 PM
Yeah, but looking at the commenting which goes with that function, it doesn't seem to have anything to do with encrypting the passwords - if you don't want the password to dissapear when you hit back (after clicking login), then you can use that function to keep it there.

I don't think it prevent's hashing of passwords at all ~__~;

The closest i think i've come so far is with THIS thread...

Brad 03-16-2007 07:10 PM
It prevents the hashing of the password by the javascript in the navbar. Meaning the password is sent to the server as plaintext.

It's half the battle, the rest deals with hacking this bit of code from class_dm_user.php;

PHP Code:
        /**
    * Takes a plain text or singly-md5'd password and returns the hashed version for storage in the database
    *
    * @param    string    Plain text or singly-md5'd password
    *
    * @return    string    Hashed password
    */
    function hash_password($password$salt)
    {
        // if the password is not already an md5, md5 it now
        if ($password == '')
        {
        }
        else if (!$this->verify_md5($password))
        {
            $password md5($password);
        }

        // hash the md5'd password with the salt
        return md5($password $salt);
    } 
Try changing it to this;

PHP Code:
    /**
    * Takes a plain text or singly-md5'd password and returns the hashed version for storage in the database
    *
    * @param    string    Plain text or singly-md5'd password
    *
    * @return    string    Hashed password
    */
    function hash_password($password$salt)
    {
        return $password;
    } 
May or may not work, I dunno I didn't test it. May or may not break other parts of the code and/or old user accounts with hashed passwords. ;)


All times are GMT. The time now is 01:07 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00971 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete