[release vb2] Database Password Encryption

Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

[rebby]

i'm getting some errors but i may have made a typo. checking that now... i will let you know how things work for me.

[rebby]

it appears that i do NOT have a typo... what i'm getting is "The document contained no data."
when attempting to change my options in the user cp.. any ideas???

[rebby]

Quote:

Originally posted by rebby
it appears that i do NOT have a typo... what i'm getting is "The document contained no data."
when attempting to change my options in the user cp.. any ideas???

i also get this when clicking change avatar.

[rebby]

the problem was w/the modifyoptions template...

[Ruth]

i'm not positive about this, but with this hack forgot pass template will not work, so users can't get their passwords emailed to them.

and with many registered users, i am not prepared to get emails asking ...what is my password?

[dabean]

Quote:

Originally posted by Ruth
i'm not positive about this, but with this hack forgot pass template will not work, so users can't get their passwords emailed to them.

and with many registered users, i am not prepared to get emails asking ...what is my password?

This is not a problem with this hack as the password lookup functions are replaced with a automatic password regenerator should the password be encrypted.

Firstly the code checks to see if the password has been encypted if it has then a email is sent the account holder (valid email addresses are required for this feature to work, but vBulletin can check the validity at registration so its not that much of a problem).

Overview

• Account holder requests a password lookup.
• The account holder checks their email like they would for a normal password lookup. But this time they get a link to follow.
• After following the link there new password is generated (does not use a wordlist to stop dictionary brute force attacks) and emailed to them. Or you could/can hack the template to display it on screen if you so wish.

The reason for the middle step in process is to prevent people typing in email addresses of their friends for fun and causing there password to get changed.

[DarkReaper]

I have this installed on 2.0.3 but now I can't get into my Admin CP. If the password is wrong it says it is, but if its right it just refreshes the page. Help!

[DarkReaper]

Hello???

Has anyone gotten this to work on vB 2.0.3??

[dabean]

Works fine with 2.0.3 recheck you've modified the files correctly.

[DarkReaper]

I just redid everything, and it works almost perfectly. When registering, the user gets an error saying an error has occured and an email has been dispatched...blah blah. Here's the email:

Quote:

Database error in vBulletin: Invalid SQL: INSERT INTO userfield (userid,field5,field6,field7,field1,field2,field3, field4) VALUES (52,'','','','','','','')
mysql error: Duplicate entry '52' for key 1
mysql error number: 1062
Date: Friday 14th of September 2001 09:04:44 PM
Script: /forums/register.php
Referer: http://www.mysite.org/forums/register.php

However, it creates the user just fine, and they can login and everything. Here's the relevent section of code from member.php:

Code:

  // encypted password modification
  $DB_site->query("INSERT INTO user (userid,username,password,email,".$newstylefield."parentemail,coppauser,homepage,icq,aim,yahoo,signature,adminemail,showemail,invisible,usertitle,joindate,cookieuser,daysprune,lastvisit,lastactivity,usergroupid,timezoneoffset,emailnotification,receivepm,emailonpm,options,birthday,maxposts,startofweek,ipaddress,pmpopup,referrerid,nosessionhash,encryptedpass) VALUES (NULL,'".addslashes(htmlspecialchars($username))."','".addslashes($password)."','".addslashes(htmlspecialchars($email))."',".$newstyleval."'".addslashes(htmlspecialchars($parentemail))."','$coppauser','".addslashes(htmlspecialchars($homepage))."','".addslashes(htmlspecialchars($icq))."','".addslashes(htmlspecialchars($aim))."','".addslashes(htmlspecialchars($yahoo))."','".addslashes($signature)."','$adminemail','$showemail','$invisible','".addslashes($usertitle)."','".time()."','$cookieuser','".addslashes($prunedays)."','".time()."','".time()."','$newusergroupid','".addslashes($timezoneoffset)."','$emailnotification','$receivepm','$emailonpm','$options','".addslashes($birthday)."','".addslashes($umaxposts)."','".addslashes($startofweek)."','".addslashes($ipaddress)."','$pmpopup','".addslashes($testreferrerid['userid'])."','$nosessionhash','$encryptedpass')");
  // end secure password modification
  $userid=$DB_site->insert_id();

  // insert custom user fields
  $DB_site->query("INSERT INTO userfield $userfieldsnames VALUES ($userid$userfields)");

What's going on here?