SMF Development > Fixed or Bogus Bugs

[4266]Password Problem

(1/2) > >>

Intel Guard:
No help in the SMF 1.x board so:


--- Quote from: Intel Guard on April 02, 2010, 05:19:40 PM ---I come from the GG2 forums, which uses version 1.1.11 of SMF. Apparently, if you put an apostrophe into your password, the forum doesn't allow you to use it to validate changing your account information.

Any help?

--- End quote ---

--- Quote from: Intel Guard on April 02, 2010, 05:21:33 PM ---No, some members have already used one beforehand.

"For as long as I've had my account, I have been unable to change my name or password or any account related settings. Now I know why. Having punctuation in your password messes with the system, preventing one from changing account information, and only returning a wrong password error. Something similar happened to me on a different website, which is what lead me to come to this conclusion. NAGN has verified this the hard way. That all being said, I'd like to change my password now."


--- End quote ---

Reset password doesn't work.

Arantor:
First up, you say about "no help" - the topic's less than half an hour old, normally we ask for 24 hours before bumping because we're all volunteers.

I agree it's a bug. I can't remember if 2.0 does the same or not. I also don't know if the team will consider this a security bug or not, if not it won't be fixed in 1.1.x.

As for changing it, I can probably write you a script to enable your members to change their passwords - of course, authenticating with their existing password. Will that be sufficient in the interim?

Intel Guard:

--- Quote from: Arantor on April 02, 2010, 05:39:12 PM ---First up, you say about "no help" - the topic's less than half an hour old, normally we ask for 24 hours before bumping because we're all volunteers.

I agree it's a bug. I can't remember if 2.0 does the same or not. I also don't know if the team will consider this a security bug or not, if not it won't be fixed in 1.1.x.

As for changing it, I can probably write you a script to enable your members to change their passwords - of course, authenticating with their existing password. Will that be sufficient in the interim?

--- End quote ---
Yes, it would be much appreciated.

Arantor:
I will see if I can find time in to do it, but it's been a while since I did SMF 1 coding.

The actual process isn't hard; the password is SHA1(strtolower($username) . $password), so it's just a case of comparing username/old password to DB, then both copies of the new password with each other, then the aforementioned hash and subsequent DB update.

N. N.:
I agree it is a bug. I don't know however, if it really can be considered for solving at this point. I tracked it, but I don't think I'd advice it, given that SMF 1.1.x is very old today, and the next version (2.0) should and does receives most of contributors' time at this point.

Thank you for the report.

Navigation

[0] Message Index

[#] Next page

Go to full version