The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Getting user password in plain text
I need to get user password in plaintext when they change there password.Then i will feed them to a hashing algo for a third party application . In profile.php which variable actually stores the user password in plaintext and its at which point.
I am interested with the start update password part Is it Code:
GPC['newpassword'] Thanks for the guidance |
#2
|
|||
|
|||
The variable is $vbulletin->GPC['newpassword'].
Hook location profile_updatepassword_start. Although it's better to save the $vbulletin->GPC['newpassword'] variable in your own variable at profile_updatepassword_start and then use profile_updatepassword_complete to use the variable for your third party application because the password is updated/checked at that point. |
#3
|
||||
|
||||
Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would have to edit template and remove something like onsubmit="md5(...password)...."
|
#4
|
|||
|
|||
Good one, upon sending the form the currentpassword, newpassword and newpasswordconfirm values are being emptied and the only available variables contain MD5 hashes.
|
#5
|
|||
|
|||
Quote:
Code:
if (THIS_SCRIPT == 'profile') $show['nopasswordempty'] = 1; |
#6
|
||||
|
||||
Then there are 2 possibilities
Edit the 3rd party application to use md5 password or Remove the md5 javascript function in the template (Update) or using Kevin's way above and do something like this in php PHP Code:
|
#7
|
||||
|
||||
I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.
|
#8
|
||||
|
||||
As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy). This way the md5 password will be directly sent to the server and the hacker would gain access, so there's no big difference but yeah it's still better to not send plain text password.
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|