Passwords

huejadd · August 05, 2023, 03:02:37 PM

Hello, I'm new to SMF. Recently, I started working on a separate PHP script that connects to my database to compare usernames and passwords using URL parameters. The purpose is to validate user input information.

For example, the URL might be: webtest123/compare.php?member_name=test123&passwd=12345

The issue I've encountered is that the passwords appear to be hashed. This causes the "&passwd=12345" parameter to always be incorrect, resulting in a false comparison. I attempted to modify an existing PHP script that performs the required functionality, but it was designed for mybb forums and didn't work in my case. This could be caused due the fact that mybb is using MD5 hashing, while SMF likely uses SHA-1. For those wondering, this is what the script looks like:

Code Select

<?php$ini = parse_ini_file('config.ini');$link = mysqli_connect($ini['db_host'],$ini['db_user'],$ini['db_password']);$database = mysqli_select_db($link,$ini['db_name']);$user = $_GET['username'];$password = $_GET['password'];$tables = $ini['mybb_usertable'];$sql = "SELECT * FROM ". $tables ." WHERE username = '". mysqli_real_escape_string($link,$user) ."'" ;$result = $link->query($sql);if ($result->num_rows > 0) {	// Outputting the rows	while($row = $result->fetch_assoc())	{				$password = $row['password'];		$salt = $row['salt'];		$plain_pass = $_GET['password'];		$stored_pass = md5(md5($salt).md5($plain_pass));				function Redirect($url, $permanent = false)		{			if (headers_sent() === false)			{				header('Location: ' . $url, true, ($permanent === true) ? 301 : 302);			}		exit();		}				if($stored_pass != $row['password'])		{			echo "0"; // Wrong pass, user exists		}		else		{			echo "1"; // Correct pass		}	}} else{	echo "2"; // User doesn't exist}

Here's my edited version of the script:

Code Select

<?php$dbHost = "skret";$dbUser = "skret";$dbPass = "skret";$dbName = "skret";$link = new mysqli($dbHost, $dbUser, $dbPass, $dbName);if ($link->connect_error) {    die("Connection failed: " . $link->connect_error);}$user = $_GET['username'];$password = $_GET['password'];$tables = "smf_members"; $sql = "SELECT * FROM $tables WHERE member_name = ?";$stmt = $link->prepare($sql);$stmt->bind_param("s", $user);$stmt->execute();$result = $stmt->get_result();if ($result->num_rows > 0) {    $row = $result->fetch_assoc();    $stored_pass = sha1($row['passwd'] . $row['passwd_salt']); // SMF uses SHA1 hashing        if ($stored_pass === sha1($password . $row['passwd_salt'])) {        echo "1"; // Correct pass    } else {        echo "0"; // Wrong pass, user exists    }} else {    echo "2"; // User doesn't exist}$stmt->close();$link->close();function Redirect($url, $permanent = false) {    if (!headers_sent()) {        header('Location: ' . $url, true, $permanent ? 301 : 302);    }    exit();}?>

Tbh, I don't really know what to do since i tried a lot of possible ways but nothing worked.

Aleksi "Lex" Kilpinen · August 05, 2023, 03:59:49 PM

You might want to take a peek at this Password auth

huejadd · August 05, 2023, 04:36:42 PM

Quote from: Aleksi on August 05, 2023, 03:59:49 PMYou might want to take a peek at this Password auth

Thank you so much got it to work!

Kindred · August 05, 2023, 07:19:55 PM

BTW, passing the password openly in the url is distinctly insecure abd NOT recommended

Sesquipedalian · August 05, 2023, 08:10:57 PM

Quote from: Kindred on August 05, 2023, 07:19:55 PMBTW, passing the password openly in the url is distinctly insecure abd NOT recommended

That's was my first thought, too. Doing that is basically putting up big sign saying "PLEASE HACK ME AND MY USERS!"

I strongly recommend that you reconsider how you are doing this, @huejadd. You should redesign your script so that you never have to put any login credentials into the URL parameters.

huejadd · August 06, 2023, 12:15:01 AM

Quote from: Sesquipedalian on August 05, 2023, 08:10:57 PM
Quote from: Kindred on August 05, 2023, 07:19:55 PMI strongly recommend that you reconsider how you are doing this, @huejadd. You should redesign your script so that you never have to put any login credentials into the URL parameters.

Yes, I am aware of the security issue. The reason I implemented the script in this manner is because I need to verify user logins in my C++ application. However, due to my laziness to directly retrieve content from the MySQL database, I opted for this script. Also the script link is hidden somewhere in my forum which users shouldn't be able to acess. The application then utilizes this link by adding the provided username and password within the application. Then it triggers the URL. If the response is true, it signifies that the login is correct (indicating that the user and password combination exists), if the response is false, it means that an issue is present.

Kindred · August 06, 2023, 01:30:33 AM

Security through obscurity does not work for long.

Hardening and properly designed scripts is the only way to correctly do web work.

There are definitely better ways to exchange login credentials

Sesquipedalian · August 06, 2023, 02:48:10 PM

If users have already submitted their login credentials to software on your server, don't pass them to your PHP script via an HTTP request. Instead, call your script directly via a shell exec call or something similar.

Tyrsson · August 06, 2023, 03:05:48 PM

Quoteis using MD5 hashing, while SMF likely uses SHA-1

Neither of these should be used.

Sesquipedalian · August 06, 2023, 09:22:52 PM

Quote from: Tyrsson on August 06, 2023, 03:05:48 PM
Quoteis using MD5 hashing, while SMF likely uses SHA-1
Neither of these should be used.

SMF does not use either. We use the password_hash() function.

News:

Passwords