Hello, I'm new to SMF. Recently, I started working on a separate PHP script that connects to my database to compare usernames and passwords using URL parameters. The purpose is to validate user input information.
For example, the URL might be: webtest123/compare.php?member_name=test123&passwd=12345
The issue I've encountered is that the passwords appear to be hashed. This causes the "&passwd=12345" parameter to always be incorrect, resulting in a false comparison. I attempted to modify an existing PHP script that performs the required functionality, but it was designed for mybb forums and didn't work in my case. This could be caused due the fact that mybb is using MD5 hashing, while SMF likely uses SHA-1. For those wondering, this is what the script looks like: <?php$ini = parse_ini_file('config.ini');$link = mysqli_connect($ini['db_host'],$ini['db_user'],$ini['db_password']);$database = mysqli_select_db($link,$ini['db_name']);$user = $_GET['username'];$password = $_GET['password'];$tables = $ini['mybb_usertable'];$sql = "SELECT * FROM ". $tables ." WHERE username = '". mysqli_real_escape_string($link,$user) ."'" ;$result = $link->query($sql);if ($result->num_rows > 0) { // Outputting the rows while($row = $result->fetch_assoc()) { $password = $row['password']; $salt = $row['salt']; $plain_pass = $_GET['password']; $stored_pass = md5(md5($salt).md5($plain_pass)); function Redirect($url, $permanent = false) { if (headers_sent() === false) { header('Location: ' . $url, true, ($permanent === true) ? 301 : 302); } exit(); } if($stored_pass != $row['password']) { echo "0"; // Wrong pass, user exists } else { echo "1"; // Correct pass } }} else{ echo "2"; // User doesn't exist}
Here's my edited version of the script: <?php$dbHost = "skret";$dbUser = "skret";$dbPass = "skret";$dbName = "skret";$link = new mysqli($dbHost, $dbUser, $dbPass, $dbName);if ($link->connect_error) { die("Connection failed: " . $link->connect_error);}$user = $_GET['username'];$password = $_GET['password'];$tables = "smf_members"; $sql = "SELECT * FROM $tables WHERE member_name = ?";$stmt = $link->prepare($sql);$stmt->bind_param("s", $user);$stmt->execute();$result = $stmt->get_result();if ($result->num_rows > 0) { $row = $result->fetch_assoc(); $stored_pass = sha1($row['passwd'] . $row['passwd_salt']); // SMF uses SHA1 hashing if ($stored_pass === sha1($password . $row['passwd_salt'])) { echo "1"; // Correct pass } else { echo "0"; // Wrong pass, user exists }} else { echo "2"; // User doesn't exist}$stmt->close();$link->close();function Redirect($url, $permanent = false) { if (!headers_sent()) { header('Location: ' . $url, true, $permanent ? 301 : 302); } exit();}?>
Tbh, I don't really know what to do since i tried a lot of possible ways but nothing worked.
You might want to take a peek at this Password auth (https://www.simplemachines.org/community/index.php?topic=583005.0)
Quote from: Aleksi on August 05, 2023, 03:59:49 PMYou might want to take a peek at this Password auth (https://www.simplemachines.org/community/index.php?topic=583005.0)
Thank you so much got it to work!
BTW, passing the password openly in the url is distinctly insecure abd NOT recommended
Quote from: Kindred on August 05, 2023, 07:19:55 PMBTW, passing the password openly in the url is distinctly insecure abd NOT recommended
That's was my first thought, too. Doing that is basically putting up big sign saying "PLEASE HACK ME AND MY USERS!"
I strongly recommend that you reconsider how you are doing this,
@huejadd. You should redesign your script so that you never have to put any login credentials into the URL parameters.
Quote from: Sesquipedalian on August 05, 2023, 08:10:57 PMQuote from: Kindred on August 05, 2023, 07:19:55 PMI strongly recommend that you reconsider how you are doing this, @huejadd. You should redesign your script so that you never have to put any login credentials into the URL parameters.
Yes, I am aware of the security issue. The reason I implemented the script in this manner is because I need to verify user logins in my C++ application. However, due to my laziness to directly retrieve content from the MySQL database, I opted for this script. Also the script link is hidden somewhere in my forum which users shouldn't be able to acess. The application then utilizes this link by adding the provided username and password within the application. Then it triggers the URL. If the response is true, it signifies that the login is correct (indicating that the user and password combination exists), if the response is false, it means that an issue is present.
Security through obscurity does not work for long.
Hardening and properly designed scripts is the only way to correctly do web work.
There are definitely better ways to exchange login credentials
If users have already submitted their login credentials to software on your server, don't pass them to your PHP script via an HTTP request. Instead, call your script directly via a shell exec call or something similar.
Quoteis using MD5 hashing, while SMF likely uses SHA-1
Neither of these should be used.
Quote from: Tyrsson on August 06, 2023, 03:05:48 PMQuoteis using MD5 hashing, while SMF likely uses SHA-1
Neither of these should be used.
SMF does not use either. We use the
password_hash() function.