Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 02-06-2008, 11:20 AM
Quantel Quantel is offline
 
Join Date: Jan 2008
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Turn off client side password encryption

I am writing a plugin to enable us to authenticate users against Lotus Notes but need to receive the password in plain text rather than the encrypted form that vB sends via client side encyrption through the md5hash function of the vbulletin_md5.js file.

Can anyone shed any light on how to turn off the client side encryption? From tests, you can still login with Javascript turned off in the browser so I don't see that disabling this will prevent user login.

To alleviate any security concerns, the forum will be running over an SSL link.

Many thanks for any assistance!
Reply With Quote
  #2  
Old 02-06-2008, 12:01 PM
Magnumutz's Avatar
Magnumutz Magnumutz is offline
 
Join Date: Feb 2006
Location: Romania
Posts: 731
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Don't you think that you should work harder for that, instead of breaking the privacy of your users by having their passwords?
Reply With Quote
  #3  
Old 02-06-2008, 12:11 PM
Quantel Quantel is offline
 
Join Date: Jan 2008
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Don't you think that you should work harder for that
Not really - as you are no doubt aware, some systems use encryption systems other than md5 or md5 with a salt. In this case with Lotus, the password is encrypted for comparison to the stored password on the server and thus the only way to log in against it is to send a plain text password from the client.

Any system worth its pennies will not allow an encrypted password to be seen based upon the submission of a correct username. LN is the same - you can't just send the username and get back the encrypted password to then be compared against the password encrypted at client level by vB.

Quote:
instead of breaking the privacy of your users by having their passwords?
Me having their passwords and thus breaking their privacy is subjective as I have access to the database and of course all data. As far as the transmission of plain text passwords, SSL addresses that concern.
Reply With Quote
  #4  
Old 02-06-2008, 12:15 PM
nexialys
Guest
 
Posts: n/a
Default

actually Magnumutz, you are completely aside of the track, so please, don't be rude with the client.

@Quantel, there is a way to retrieve the uncrypted password, and as you are using SSL on your site, this may be the solution... as you already tested it, deactivating the javascript in the login process is a good way, and there is a minimum of hacking needed to do it internally... i think there is already a solution released in the Mods section...
Reply With Quote
  #5  
Old 02-06-2008, 02:17 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If i remember correct the following in your config.php should also enable sending of plaintext passwords:
PHP Code:
define('DISABLE_PASSWORD_CLEARING'true); 
Be aware however that this does decrease password security a lot.

A much better solution would be to add the second hashing mechanism to the hashed passwords available in the application.

To do this on the vBulletin side, you might consider change the password hashing on the client side and has it also in the format Notes expects before clearing the plaintext vBulletin password.

I guess it is better to sent 2 hashed versions of the password over the internet, then 1 time in plaintext.
Reply With Quote
  #6  
Old 02-06-2008, 02:48 PM
Quantel Quantel is offline
 
Join Date: Jan 2008
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The "define('DISABLE..." worked a treat. I do agree that there might be a decrease in security but I think that this is reduced in impact by the use of SSL. In this particular case though, if we were to only use the md5'd password, that would be sent to Lotus, be md5'd again and of course would subsequently fail the authentication.

Thank-you for your assistance Marco, and nexialys!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:40 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04141 seconds
  • Memory Usage 2,210KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (5)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete