vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Removing Salt (https://vborg.vbsupport.ru/showthread.php?t=149826)

Norco 06-16-2007 02:55 AM
Removing Salt
 
Hello everyone.

I just purchased a vbulletin forum, which I want to integrate my users from my current site (a user system which I coded, and has approximately 4000 members. I thought all I would need to do is transfer them into the vb user table, but I noticed the salt which I don't use on my site which I am wanting to integrate with. I do use md5 encryption for the passwords although.

I am wondering how I would go about removing the salt system from my forum so it doesn't use it to login / out. I've already searched the forum for such things, but no one really said how, or just mentioned its a big security risk (I'm willing to take that chance).

Thanks to anyone who helps me through this process. And please remember, if you are, explain in a little more detail then you probably usually are used to. I don't know to much about anything.. I just installed vbulletin today!

Coders Shack 06-16-2007 03:30 AM
mass email telling them to request their passwords? or mass password reset message. lol

Norco 06-16-2007 03:36 AM
Right now I am thinking it would be easier to use the same salt system on my website usersystem... but how? Hmmm.

Even if I did install it, I would have to mass email all 4000 members linking to a password reset form where they would have to enter their email, which would email them a temporary password, but would update the hash for it. Problem is about that is I have no clue how to do it... I would need to find the same type of salt system vb uses, or extract it from the coding..

Dismounted 06-16-2007 04:33 AM
salt is a random 3-character combination generated on registration, so you would simply have to assign users a random 3-letter combination. Passwords are encrypted like so:
PHP Code:
md5(md5($password) . $salt

Norco 06-16-2007 02:59 PM
Ok, I have decided to migrate the salt system to my user system on my website. In the coding for the salt system I've come up with.. this is how is randomly sets a salt:


PHP Code:
$salt md5(rand(1,5000) * rand(1,5000) * rand(1,5000));

$password md5($password $salt); 
I would 'NOT' be using the vbulletn registration system, it would all be done through my website. So.. if everyone of my useres reset their password (which I would include the whole salt thing when its done) it would update for the site system, and the forum?

Right?

Brad 06-16-2007 08:40 PM
In vBulletin the salt is generated like this;

From the file /includes/class_dm_user.php

PHP Code:
    /**
    * Generates a new user salt string
    *
    * @param    integer    (Optional) the length of the salt string to generate
    *
    * @return    string
    */
    function fetch_user_salt($length SALT_LENGTH// Note; by default SALT_LENGTH is 3
    {
        $salt '';

        for ($i 0$i $length$i++)
        {
            $salt .= chr(rand(32126));
        }

        return $salt;
    } 
Depending on how your current system works you may or may not need to reset the passwords. Can you give us some code to look at?

Once you get your custom registration system hashing passwords like vBulletin all you'll have to do is get that data over to the vBulletin database (pretty easy task).

Paul M 06-16-2007 09:27 PM
You could just set the salt column in the users table to '' (null string) for everyone - and edit the function that vb uses (shown above) to always return '' as well.

(in fact, defining SALT_LENGTH as 0 might be enough, not sure where that is set)

Brad 06-17-2007 12:10 AM
Line 18 in the file class_dm_user.php :)

I usually change it to something other than the default when I install vBulletin. I don't know if it helps much but hey...why not? :)

Norco 06-17-2007 12:50 AM
What could would you like to see? Login?

Edit; I need to know like, how the login of the vb uses the salt with the md5 encrypted password to check if it is right.

Dismounted 06-17-2007 04:27 AM
It just compares the two passwords.


All times are GMT. The time now is 05:01 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01182 seconds
  • Memory Usage 1,741KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete