The Arcive of Official vBulletin Modifications Site.

About Developer · **Released**: 07-28-2001

Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords.

After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

The main issue of concern seemed to be "But now the lost-password function won't work!"

I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

I chose MD5 because I'm fond of the concept of "one-way" encryption.

Now, no admin can see a member's password. :-)

Enjoy!

(Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )

thewitt · #2 07-29-2001, 04:51 PM

Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!

You are a class act CoffeeMugDude.

Thank you!

-t

CoffeeMugDude · #3 07-29-2001, 05:24 PM

Oops, I thought I had posted this in the VB2 hacks forum

BTW, thanks thewitt!

#4 07-29-2001, 05:58 PM

Hi there,

yes, looks really clean & nice - very impressive!
Will install it asap the next days,

Thanks a bunch!

-Tom

pogo · #5 08-02-2001, 10:10 AM

Little mistake?

The changes in admin/session.php line 109 must be changed in your instructions.htm.

Then it's working fine for me.

VirtueTech · #6 08-02-2001, 10:14 AM

Quote:

Written by CoffeeMugDude
I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

After reading through your first sentences this was my first worry....And you nailed it....this sounds awesome!

Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc.

pogo · #7 08-02-2001, 11:57 AM

Another one.

In member.php the whole "start update password" routine isn't handled.

Find

Code:

// validate old password
  if ($currentpassword!=$bbuserinfo[password]) {

and replace it with

Code:

// validate old password
  if (md5($currentpassword)!=$bbuserinfo[password]) {

Then find

Code:

$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");

and replace it with

Code:

$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");

#8 08-17-2001, 08:34 AM

ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same:

1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do...

2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it...

3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first!

4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!!

5) ignore all line numbers - they refer to vbb 2.0.1!

6) do what Pogo says right above my post... he probably knows what he's talking about

(but why didn't he complain about the encrypt_all_passwords.php file?)

now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't...

#9 08-17-2001, 08:38 AM

btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...

#10 08-17-2001, 08:54 AM

hmm
i made some more mistakes... don't do this:

when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is)

and its still not working 100% so i'll edit this later with more info

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04492 seconds Memory Usage 2,291KB Queries Executed 23 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (4)bbcode_code (1)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (9)postbit (6)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!