NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1

View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0011841phplist applicationAuthentication Systempublic06-10-07 09:3226-03-13 15:37
PlatformOSOS Version
Product Version2.10.5 
Target Version4.0.xFixed in Version2.11.8 
Summary0011841: Use of MD5

I am using a modification in osCommerce to integrate PHPList in to OSC.

Existing customers within osC have already stated their preference to receive a newsletter or not. We have in excess of 30,000 customers so I am writing a further tool in osc to migrate users newsletter settings to PHPList.

I note that PHPList has been built with some kind of extensibilty in mide and the inclusion of the foreignkey field on the user_user database is a superb help in the integration.

The problem I have is with the passwords already contained within the OSC customer database. OSC use the following to encrypt their passwords:

 function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;

I note that PHPList merely uses calls to md5 to encrypt.

Having looked through the PHPList code I note there are only a few places where the md5 calls are made. Would it be possible to replace the calls to md5 with calls to a function that performs the encryption. This function can then be overloaded by other integrators like myself so that they can use their own password encryption routines.

I am happy enough to do this work, if somebody could reply with pointers on how best to integrate it into the PHPList codebase.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to 0002705closed PHPList v2.11 release 
child of 0010998new Enhance security 

-  Notes
20-12-07 15:46

Could you please tell this person
* Where to build the function
* if all calls to MD5 can be replaced without problems?
michiel (manager)
04-01-08 18:05

yes, it would be nice to make user authentication more abstract so that this can be achieved more easily. If you have any ideas about it, feel free to implement it, if that makes it easier to integrate with osCommerce.

Md5 is not really used that much in phplist. It is only used when the settings are to encrypt passwords which by default they aren't
michiel (manager)
26-03-13 15:37

there is now a new config to set the encryption method.

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker