View Issue Details

IDProjectCategoryView StatusLast Update
0011841phpList 3 applicationAuthentication Systempublic26-03-13 15:37
Reportertheintoy Assigned To 
Status resolvedResolutionfixed 
Product Version2.10.5 
Fixed in Version2.11.8 
Summary0011841: Use of MD5

I am using a modification in osCommerce to integrate PHPList in to OSC.

Existing customers within osC have already stated their preference to receive a newsletter or not. We have in excess of 30,000 customers so I am writing a further tool in osc to migrate users newsletter settings to PHPList.

I note that PHPList has been built with some kind of extensibilty in mide and the inclusion of the foreignkey field on the user_user database is a superb help in the integration.

The problem I have is with the passwords already contained within the OSC customer database. OSC use the following to encrypt their passwords:

 function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;

I note that PHPList merely uses calls to md5 to encrypt.

Having looked through the PHPList code I note there are only a few places where the md5 calls are made. Would it be possible to replace the calls to md5 with calls to a function that performs the encryption. This function can then be overloaded by other integrators like myself so that they can use their own password encryption routines.

I am happy enough to do this work, if somebody could reply with pointers on how best to integrate it into the PHPList codebase.
TagsNo tags attached.


related to 0002705 closed PHPList v2.11 release 
child of 0010998 new Enhance security 



20-12-07 15:46


Could you please tell this person
* Where to build the function
* if all calls to MD5 can be replaced without problems?


04-01-08 18:05

administrator   ~0038772

yes, it would be nice to make user authentication more abstract so that this can be achieved more easily. If you have any ideas about it, feel free to implement it, if that makes it easier to integrate with osCommerce.

Md5 is not really used that much in phplist. It is only used when the settings are to encrypt passwords which by default they aren't


26-03-13 15:37

administrator   ~0051990

there is now a new config to set the encryption method.