All geek questions in one place

Phpass error when authenticating with specific passwords from phpBB3?

Using either the phpass testing program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C? * | Y [j "KQ '% gf for a plain text password and $ P $ 9kS6tD8tVxajypvJ5837.bt2emepD8 / as a hash, doing:

<?php # # This is a test program for the portable PHP password hashing framework. # # Written by Solar Designer and placed in the public domain. # See PasswordHash.php for more information. # require 'PasswordHash.php'; header('Content-type: text/plain'); $t_hasher = new PasswordHash(8, FALSE); $correct2 = 'C?*|Y[j"KQ\'%gf'; $hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/'; print 'Hash: [' . $hash2 . "]\n"; print 'correct: [' . $correct2 . "]\n"; $check = $t_hasher->CheckPassword($correct2, $hash2); if ($check) { print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n"; } else { print "IT FAILED!!!!!!!!\n\n\n"; } ?>

The hash was from phpBB3 (3.0.10), and when I provide this phpBB3 password, it works correctly.

PhpBB3 is supposed to use phpass itself, making $ H $ instead of $ P $.

In this example, the database entry in phpBB3:

qlc4pi000000 "; 0;" 127.0.0.1 "; 1351902499;" testpass ";" testpass ";" $ H $ 9kS6tD8tVxajypvJ5837.bt2emepD8 / "; 1351902499; 0;" tp@inva.lid.com "; 266402289712;" '' '; 1351902544; 1351902499; 0; "''"; "''"; 0; 0; 0; 0; 0; 0; "en"; 0.00; 0; DM DM, Y g: IA "; 2; 0;" '' "; 0; 0; 0; 0; -3; 0; 0;" t "" g "; 0;" t "" a "; 0; 1; 0; 1; 1; 1; 1; 230271;" '' "; 0; 0; 0;" '' ";" '' ";" '' ";" ' '";"' '";"' '";" '' ";" '' ";" '' ";" '' ";" '' ";" '' ";" '' ";" '' ";" bf4ae169a5a21313 ", 1, 0; 0

The plain text password used in phpBB3 is [C? * | Y [j "KQ '% gf], and hash (converted from phpBB3 format [$ P $ 9kS6tD8tVxajypvJ5837.bt2emepD8 /] (both passwords and hash are between [])

Can someone shed some light on what is happening and why it does not work with phpass? This is on the same machine that the forums work on, and, again, it works on the phpBB3 forums, so I can log in. I just can not authenticate with phpass from the outside when I directly access the phpBB3 database. It works on other accounts, although these are only certain accounts on which it does not work.

0
source share
2 answers

Turns out the problem is that phpBB3 converts the password to use html escape codes.

Now, as soon as the password is converted, it matches the hash stored in phpBB3.

+1
source

phpBB3 will most likely apply the htmlspecialchars PHP function (without flags) to the password.

This fact, noted by phpBoing, was also seen when discussing fooobar.com/questions/1435662 / ....

The non-standard identifier $ H $ is useful. When $ H $ is present, the implementation may know how to apply escaping to support phpBB3.

0
source

Source: https://habr.com/ru/post/1435666/

More articles:


All Articles