[SMF] Imported User Password Hack

Resource : [SMF] Imported User Password Hack
Type : Source Code Modification
Version : 0.1
Author : mf @ http://www.videngineering.net

Description : After SMF import, no need to reset password!

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt). For most forums, that means md5(md5(password) . salt). For SMF, however, that means md5(md5_hmac(password, username) . salt). Since vB login checks for md5(md5(password) . salt), that means an imported SMF user will have to have his/her password reset. That, or you install this little hack.

Tested : Yes, tested on 3.5.0 Stable (will not work on vB 2.x or 3.0.x)

Screenshot : None, obviously

Notes : My first hack :speechless:

[muf]

Quote:

Originally Posted by Floris

He means it doesn't hurt to have users change their password anyway, despite the layer of security, passwords should be rotated more frequently to avoid abuse.

And that is why I said that if you do not require the password to be different (rotated) from the original password, users will simply use the original password. Also, security experts are returning from the old notion that frequent password rotation is secure; many companies have practically experienced that password rotation simply means users will start using weaker and weaker passwords, and when they are forced to use strong passwords, they will write it down on post-it notes and such in order to keep themselves from forgetting it. It is better to let users come up with one good password, stick with it, and let nobody intercept it, than it is to keep changing passwords until the whole meaning of the word password is lost. That said, the number of passwords I use (strong as well as weak) can be counted on one hand. But then again, I don't rely on passwords for most of my security.

[Parham]

Thanks For This Great Modification ! [ Installed ! ]

[DeMiNe0]

this doesn't work on 3.5.3

[envoys]

Did not work for me on 3.5.4... 40,000 users have to reset passwords now.

[bouncybounce]

I downloaded version 3.5.0 and tried this with a fresh install and it didn't work.

The import went OK, but users cannot insert their old password. I did notice that some of the code that the author of this mod mentioed arte actually slightly different in the version 3.5.0, that I downloaded. Perhaps some settings have been changed since the author originally wrote this mod?

Anyway, it doesn't work anymore. Shame. :tired:

[muf]

Quote:

Originally Posted by bouncybounce

I downloaded version 3.5.0 and tried this with a fresh install and it didn't work.

The import went OK, but users cannot insert their old password. I did notice that some of the code that the author of this mod mentioed arte actually slightly different in the version 3.5.0, that I downloaded. Perhaps some settings have been changed since the author originally wrote this mod?

Anyway, it doesn't work anymore. Shame. :tired:

I'll post an updated version once I upgrade to the latest 3.5.x. The strange thing still is I have the thing running on my 3.5.0 (installed as per my own instructions), and it just works. So unless anyone could pass me any type of usable debug info I won't be able to make it magically work for everyone else. A possibility is also that the impex password hashing has changed (for whatever reason). To reproduce my SMF->vB import process (which I performed before direct SMF->vB3.5 imports were possible), first use ImpEx to go from SMF to vB 3.0.7, then use the upgrade feature to go from 3.0.x to 3.5.x. See if that helps. Other than that, big shame it isn't working guys! My sincere apologies but I have no idea as to the source of the problem. Maybe I'm just being a bit of a n00b (after all this *is* my first hack).

[bouncybounce]

Hi

I actually found that a few of the lines in the vBulletin code were slightly different from the ones posted in your instructions. I wonder if there has been some slight ammendments done even to the 3.5.0 version?

Either that or I got the instructions wrong, but I don't think so. I can't remember which template it was now, but it was towards the end of the process.

[prophecydude]

So which version does this ACTUALLY work on? I am converting a SMF 1.1.1 forum to 3.6.4, and I need to know if this will work. I don't mind trying an older copy of vBulletin and upgrading afterwards.

[cheesegrits]

I'm importing SMF 1.1.4 to vB 3.7b5, and it seems that SMF's password hashing has changed since this mod was released. It now uses sha1() instead of md5_hmac().

So I had a go at it, and got vB authentication working without having to edit any files (except one line in config.php). All it needs is:

1) In your ./includes/config.php, insert this line:

PHP Code:

define('DISABLE_PASSWORD_CLEARING', 1); 


NOTE - this forces vB to send a cleartext password from the browser to the server when you login. This is a potential security risk, albeit a very unlikely one to be exploited - if anyone has compromised your systems to the point that they can pick this information off the wire, you have bigger problems than exposing some passwords! But regardless, you should really treat this as a transitional hack, and give your users something like a month to change their passwords, before you disable this stuff.

2) Create a plugin on the 'login_failure_verify_password' hook, and paste this PHP into it:

PHP Code:

if ($vbulletin->GPC['vb_login_password'])
{
    $hack_username = preg_replace('#^imported_#','',$vbulletin->GPC['vb_login_username']);
    $sha_passwd = sha1(strtolower($hack_username) . unhtmlspecialchars(stripslashes($vbulletin->GPC['vb_login_password'])));
    $vb_passwd = md5($sha_passwd . $vbulletin->userinfo['salt']);
    if ($vbulletin->userinfo['password'] == $vb_passwd)
    {
        unset($return_value);
    }
} 


And that's it.

The way this works is, if the regular vB password verification fails (using the md5 version of the password, which will fail if they still have their impex'ed SMF password set), the plugin is called. Because we set DISABLE_PASSWORD_CLEARING in config.php, vB is now including the clear text password from the browser during login. So the plugin can take that cleartext password, and hash it using SMF's method, and see if that matches the stored hash. If it does, then they have a valid SMF style password.

Note that the code above also works for any usernames which have been changed from 'joeblow' to 'imported_joeblow' due to username conflicts on the impex

Although I'm using vB 3.7b5, I think this method should work for 3.6 as well. I have no idea which versions of SMF this will work for - all I know is, it works for the SMF v1.1.4 users I'm importing.

I may add automatic changing of the password to a native vB password the first time an SMF user logs in, and release this as a mod. But if not ... maybe the above will help someone out.

-- hugh

[Raptor]

would this work for an ikonboard 3.0 import as im having the same issue with passwords - thanks