phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016787phplist applicationUser Managementpublic17-05-13 11:2817-05-13 16:21
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.11.9 
Target VersionFixed in Version2.11.10 
Summary0016787: Wrong encryption algorithm when upgrading from 2.10.19
DescriptionThere was a question on the forums about what happens to user passwords when upgrading from 2.10.x to 2.11.x.

As user passwords are currently hashed using MD5 when upgrading the algorithm cannot be changed.
The config.php file for 2.10.19 has two defines, each set to 1 in order to encrypt user passwords:

define("ASKFORPASSWORD",1);
define("ENCRYPTPASSWORD",1);

But this code in init.php appears to set the algorithm to sha256 if it is available regardless of whether passwords are already hashed using MD5

====
if (ASKFORPASSWORD && !defined("ENCRYPTPASSWORD")) {
  ## we now always encrypt
  define('ENCRYPTPASSWORD',1);
}
if (!defined("ENCRYPTPASSWORD")) {
  ## old method to encrypt, used to be with md5, keep like this for backward compat.
  define('ENCRYPTION_ALGO','md5');
# define("ENCRYPTPASSWORD",0);
}

if (!defined('ENCRYPTION_ALGO')) {
  if (function_exists('hash_algos') && in_array('sha256',hash_algos())) {
    define('ENCRYPTION_ALGO','sha256');
  } else {
    define('ENCRYPTION_ALGO','md5');
  }
}
====

Additionally, ENCRYPTION_ALGO seems to apply to both an admin password and a user password. So if MD5 is currently used for user passwords then after upgrading it will have to also be used for admin passwords, instead of a stronger algorithm.



TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0052037)
michiel (manager)
17-05-13 16:04

hmm, yes. Tricky one.

If passwords were encrypted with md5, we either want to continue with md5 or find some way to update them. Updating them is tricky as we don't know them. We could enforce subscribers to re-enter them with a forgot password system, but that doesn't exist yet.

I guess for now, we'd need to stick to md5 in that case.

So, that would be :

if ASKFORPASSWORD & ENCRYPTPASSWORD -> use MD5
if ASKFORPASSWORD & !ENCRYPTPASSWORD -> set encrypt and use sha256


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker