Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Account Password Vulnerability - enhancing it more?
FAQ Community Calendar Today's Posts Search

Reply
Page 2 of 2 1 2
 
Thread Tools Display Modes
  #11  
Old 01-23-2015, 07:04 PM
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Location: Netherlands
Posts: 1,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
You should find a call to fetch_random_password(8) in login.php.
That, I can. But I'm unable to find the letters being used.

Code:
$password_characters = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz';
is not found in login.php, as such resetting passwords on the users end (normal recovery) isn't using the password characters through functions.php, I tried and it just gives a normal password with no new characters I added.
Reply With Quote
  #12  
Old 01-23-2015, 07:17 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Oh, well, you don't find the string of letters there because they should only occur once, in fetch_random_password(), which is called from both places. But if you're not seeing the new chars when you request a password change, then there must be something else going on. I'll take a look and post back if you haven't figured it out by then.
Reply With Quote
  #13  
Old 01-23-2015, 07:29 PM
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Location: Netherlands
Posts: 1,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I just searched all *.PHP files.. "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwx yz" and or $password_characters is only called in functions.php, so currently no idea where else to look.
Reply With Quote
  #14  
Old 01-23-2015, 07:35 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Oh, did you actually try requesting a password change? What I was trying to say is that the code in login.php should use the variable with the string of characters that you already changed, so it should change in both cases. If you want to increase the length then you should change login.php where it says fetch_random_password(8) (to something higher than 8).
Reply With Quote
  #15  
Old 01-23-2015, 07:35 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You need to change the string in the fetch_random_password function because it's not a global variable.
Reply With Quote
  #16  
Old 01-23-2015, 09:50 PM
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Location: Netherlands
Posts: 1,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
Oh, did you actually try requesting a password change? What I was trying to say is that the code in login.php should use the variable with the string of characters that you already changed, so it should change in both cases. If you want to increase the length then you should change login.php where it says fetch_random_password(8) (to something higher than 8).
I've changed the password characters within functions.php
Code:
$password_characters = '123456789!@#$%^&*()ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz';
Which appears to be working when I use the Check Vulnerable Passwords function. However, when I normally request a new password (forgotten password) for example, I still get the normal ABC,abc passwords, rather than the extra numbers and symbols I placed in.

EDIT!

Nvm! I spoke to soon. It appears to be working after all, thanks folks!

Quote:
As you requested, your password has now been reset. Your new details are as follows:

Username: skytest
Password: 16%R&EG5pDt(UPX
Honestly, that sounds like a much better / secured password by default.
Reply With Quote
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:49 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04059 seconds
  • Memory Usage 2,217KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete