[3281] JS hashLoginPassword - wrong hash when used with umlauts

Started by Jesaul, February 23, 2009, 04:45:40 PM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

Jesaul

February 23, 2009, 04:45:40 PM Last Edit: August 23, 2009, 12:21:08 PM by karlbenson
Hi.

Ok.
I go to http://www.simplemachines.org/community/index.php
Next I clean cookies and try to login.
I get wrong password error.
Ok I try to login again with the same password - and it's ok.

The same thing is on my forums - smf 2 beta 4, or 2.0 RC1.

the thing have been tested on Firefox 3.0.5, latest shiroko and 3.2.beta 2.
On IE 8 it seems to be ok.

Jesaul

#1
February 24, 2009, 12:13:12 PM Last Edit: February 24, 2009, 12:22:34 PM by Jesaul
One of the forum users reports he needs to change password each time to log in even after the fix with inserting "return;" into hashLoginPassword() function...

LiroyvH

#2
February 24, 2009, 12:45:56 PM
I think you will have made a typo in your username or password.
If the username and password are both correct, it will never show that error.

I cannot reproduce the problem in firefox.
Are you running any mods?
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Jesaul

#3
February 24, 2009, 12:50:49 PM
There is no typo for sure. I have auto-complete on, so no mistakes allowed :)
I have one insignificant translit mod.
But I can reproduce it even here always.
I'll do that again - try to gain access to forum log files (if you don't have them) and check.

Jesaul

#4
February 24, 2009, 12:52:19 PM
Ok, problem has been reproduced here.
Try to make sure that After! wisiting login page you have cleared cookies. And try to login.

LiroyvH

#5
February 24, 2009, 12:57:02 PM
You are totally right.
Even though I hate clearing my cookies, I tried it for you.

I was indeed able to reproduce this weird bug.
Unfortunately I lack the coding skills to know what might cause this, so I hope someone else will be able to explain :)


- Liroy
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Jesaul

#6
February 24, 2009, 01:02:18 PM
Thanks. Well, in another community there was a discussion about that. It has started at 2006... And the bug still appears from time to time...
In my case I can login. But I have other forum members that cannot..

metallica48423

#7
February 25, 2009, 04:16:44 AM
I can't reproduce it.

Can you give me a list of how to reproduce it?
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Jesaul

#8
February 25, 2009, 04:20:57 AM
Ok.
1) Use firefox 3.0.5 or greater.
2) Log out of the forum simplemachies.org.
3) Visit http://www.simplemachines.org/community/index.php
4) Clear all cookies from simplemachies.org
5) Enter login name and password and try to login.
I get wrong password error.

Jesaul

#9
February 25, 2009, 04:23:30 AM
And 6) you must have JS enabled.

Aleksi "Lex" Kilpinen

#10
February 25, 2009, 04:24:29 AM
Actually this is a small problem with our 1.1.8 installation as well, and seems to happen with firefox and IE alike... Every now and then when I go to login, I have to do it twice.... And looking at my error log, so do others... I have not seen this happening here though...
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

DerEineDa

#11
February 26, 2009, 04:07:34 PM Last Edit: February 27, 2009, 10:29:56 AM by regularexpression
Hello again,

one of the members at my forum told me about a strange problem about that he couldn't login anymore, but sometimes it still works. Odd problem description, but I found the problem, so I will try to explain:

After some research I found out that it is because the member has a german umlaut in his name ("fränkie"). Let's assume his password is "frank". SMF stores the password as a hash value calculated by the username and the password (sha1(fränkiefrank)).

For security reasons, when trying to login at the login-box on the front page, SMF tries not to send the password as plain text from the browser to the server. Instead, in most browsers, a JavaScript function is used to calculate the hash locally and then it only sends the hash to the server. When SMF receives the login data and the locally calculated hash is available, it will use it. THIS is the problem! The JS function "hashLoginPassword(...)" in the file "/Themes/default/scripts/script.js" does calculate a wrong hash when the username contains umlauts. I found this out with the help of "Live HTTP Headers" addon for Firefox. So the hash of "fränkiefrank" calculated by the JS function is different than the hash stored in the database.

I could fix this by changing the JS function to return immediately, so it does nothing. This sends the password as plain text, but I couldn't find another way.

Oddly, the hash value calculated by mysql (SELECT sha1('fränkiefrank')) is also different from the JS and database version...

This problem occurs with and without the UTF-8 language packs and -settings.

Jesaul

#12
February 27, 2009, 03:25:18 AM
Confirming all bugs in the post.
I have the same problems and even one user with English name that need to change his password each time to login.

DerEineDa

#14
February 27, 2009, 10:34:42 AM Last Edit: February 27, 2009, 10:48:23 AM by DerEineDa
The severity is only 'normal'? Come on, many people can't login anymore, I think this a maaaaajor problem ;)

Edit: I forgot to mention: I only know that this bug happens with Firefox 3. It wasn't tested with other browsers.

Jesaul

#15
February 27, 2009, 10:36:15 AM
Please review this.
In my case 90% of users need to login twice in a row, but one user cannot login at all. she needs to change the password and only then it's possible to login for her, but after logout there is a need to change password again.

Aleksi "Lex" Kilpinen

#16
February 27, 2009, 10:39:44 AM
Quote from: Jesaul on February 27, 2009, 10:36:15 AM
she needs to change the password and only then it's possible to login for her, but after logout there is a need to change password again.
This I have never seen, but I have seen the need to login twice...
BUT I have to correct my last message on this alittle, I'm not sure if this has happened after the update from 1.1.7 to 1.1.8...
I seem to be able to login quite fine now...
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

DerEineDa

#17
February 27, 2009, 10:43:12 AM
Quote from: Jesaul on February 25, 2009, 04:23:30 AM
And 6) you must have JS enabled.

I somehow think this is related to this bug: http://www.simplemachines.org/community/index.php?topic=295803.0

Maybe the password doesn't need to contain special characters to produce this bug, maybe there are other circumstances... But I think it all has to do with the JS function...

Jesaul

#18
February 27, 2009, 10:50:00 AM
I've tried to insert return in JS login function that is responsible for sending encrypted password. This has eliminated the problem with double login for me, but the problem with the user that cannot login still remains..

karlbenson

#19
February 27, 2009, 10:52:27 AM
As with other topic.
I've referred to this topic on the bug report
http://dev.simplemachines.org/mantis/view.php?id=3281
Print
Go Up Pages1 2 All
User actions
Advertisement: