vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   Getting user password in plain text (https://vborg.vbsupport.ru/showthread.php?t=314060)

xXZarghamXx 09-01-2014 09:06 AM
Getting user password in plain text
 
I need to get user password in plaintext when they change there password.Then i will feed them to a hashing algo for a third party application . In profile.php which variable actually stores the user password in plaintext and its at which point.

I am interested with the start update password part

Is it
Code:
GPC['newpassword']

Thanks for the guidance

Dave 09-01-2014 09:40 AM
The variable is $vbulletin->GPC['newpassword'].
Hook location profile_updatepassword_start.

Although it's better to save the $vbulletin->GPC['newpassword'] variable in your own variable at profile_updatepassword_start and then use profile_updatepassword_complete to use the variable for your third party application because the password is updated/checked at that point.

Scanu 09-02-2014 12:16 PM
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would have to edit template and remove something like onsubmit="md5(...password)...."

Dave 09-02-2014 01:25 PM
Quote:
Originally Posted by Scanu (Post 2513470)
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
Good one, upon sending the form the currentpassword, newpassword and newpasswordconfirm values are being emptied and the only available variables contain MD5 hashes.

kh99 09-02-2014 01:31 PM
Quote:
Originally Posted by Scanu (Post 2513470)
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
That's true, but there are ways to turn it off without editing the javascript. You can define the constant DISABLE_PASSWORD_CLEARING (maybe in config.php) to turn off the feature entirely. If you only want to turn it off for password changes, you can set the variable $show['nopasswordempty'] to 1, maybe at the hook parse_templates, like:
Code:
if (THIS_SCRIPT == 'profile')
  $show['nopasswordempty'] = 1;

Scanu 09-02-2014 01:33 PM
Then there are 2 possibilities
Edit the 3rd party application to use md5 password or

Remove the md5 javascript function in the template (Update) or using Kevin's way above
and do something like this in php
PHP Code:
$plainpass $vbulletin->GPC['newpassword'];
$vbulletin->GPC['newpassword'] = md5($plainpass); 

Paul M 09-02-2014 11:48 PM
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.

Scanu 09-03-2014 08:49 AM
Quote:
Originally Posted by Paul M (Post 2513560)
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy). This way the md5 password will be directly sent to the server and the hacker would gain access, so there's no big difference but yeah it's still better to not send plain text password.


All times are GMT. The time now is 07:18 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01013 seconds
  • Memory Usage 1,731KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_php_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete