Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
  #1  
Old 09-01-2014, 09:06 AM
xXZarghamXx xXZarghamXx is offline
 
Join Date: Mar 2008
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Getting user password in plain text

I need to get user password in plaintext when they change there password.Then i will feed them to a hashing algo for a third party application . In profile.php which variable actually stores the user password in plaintext and its at which point.

I am interested with the start update password part

Is it
Code:
 GPC['newpassword']

Thanks for the guidance
Reply With Quote
  #2  
Old 09-01-2014, 09:40 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The variable is $vbulletin->GPC['newpassword'].
Hook location profile_updatepassword_start.

Although it's better to save the $vbulletin->GPC['newpassword'] variable in your own variable at profile_updatepassword_start and then use profile_updatepassword_complete to use the variable for your third party application because the password is updated/checked at that point.
Reply With Quote
  #3  
Old 09-02-2014, 12:16 PM
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Posts: 829
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would have to edit template and remove something like onsubmit="md5(...password)...."
Reply With Quote
  #4  
Old 09-02-2014, 01:25 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Scanu View Post
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
Good one, upon sending the form the currentpassword, newpassword and newpasswordconfirm values are being emptied and the only available variables contain MD5 hashes.
Reply With Quote
  #5  
Old 09-02-2014, 01:31 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Scanu View Post
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."
That's true, but there are ways to turn it off without editing the javascript. You can define the constant DISABLE_PASSWORD_CLEARING (maybe in config.php) to turn off the feature entirely. If you only want to turn it off for password changes, you can set the variable $show['nopasswordempty'] to 1, maybe at the hook parse_templates, like:
Code:
if (THIS_SCRIPT == 'profile')
   $show['nopasswordempty'] = 1;
Reply With Quote
  #6  
Old 09-02-2014, 01:33 PM
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Posts: 829
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Then there are 2 possibilities
Edit the 3rd party application to use md5 password or

Remove the md5 javascript function in the template (Update) or using Kevin's way above
and do something like this in php
PHP Code:
$plainpass $vbulletin->GPC['newpassword'];
$vbulletin->GPC['newpassword'] = md5($plainpass); 
Reply With Quote
  #7  
Old 09-02-2014, 11:48 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
Reply With Quote
2 благодарности(ей) от:
ozzy47, Scanu
  #8  
Old 09-03-2014, 08:49 AM
Scanu's Avatar
Scanu Scanu is offline
 
Join Date: Nov 2010
Posts: 829
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Paul M View Post
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy). This way the md5 password will be directly sent to the server and the hacker would gain access, so there's no big difference but yeah it's still better to not send plain text password.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:31 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04803 seconds
  • Memory Usage 2,236KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (2)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete