Advertisement:

Author Topic: [2.0.8] potential way to login without a valid password (if blank in db)  (Read 455 times)

Offline Red Squirrel

  • Semi-Newbie
  • *
  • Posts: 28
This may potentially be fixed in newer versions and I don't want to alarm anyone as this is probably specific to my setup or this version.  Basically I'm combining 4 forums into one so I had to make extensive changes to SMF to allow for this (which is why I can't easily upgrade), such as making posts/topics sort by time and not by ID.  I will also be implementing my own login system as it will tie in with a bunch of other stuff.

So while playing around in the source files for the SMF login sequence (did not make any functional changes yet) I was just adding some "echo" debugs so I can get the value of variables when I submit a login and basically understand what's going on before I change anything.  Then suddenly, I manged to login as a user even though I never actually set a password for that user. The conversion script sets that field blank in the DB and it may be related to that.  Seems that if the user password is blank in the database, it may be possible to login as that user! 

Step to reproduce:

1: Have an existing user account in the database with a blank password field.

2: Try to login with that username and a random password, it will say that the security needs to be upgraded, and to re-enter the password.  Put anything there - does not need to be the same as you typed originally, and it will accept it, and then log you in.


I don't think this is something that can happen under a normal circumstance as I assume there is no situation where the password field ends up being blank in the DB, but it could potentially still be exploited somehow and I figure I would bring it to the devs attention. 



Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 60,092
  • Gender: Male
    • Kindred-999 on GitHub
Re: [2.0.8] potential way to login without a valid password (if blank in db)
« Reply #1 on: January 23, 2021, 09:18:36 PM »
Unless the admin dies something stupid, the password column will never be blank in real life
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."