View Issue Details

IDProjectCategoryView StatusLast Update
0016794phplist applicationAuthentication Systempublic28-05-13 12:54
Reporterdymitar 
PrioritynormalSeverityblockReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.11.9 
Target Version2.11.10Fixed in Version2.11.10 
Summary0016794: Cannot login after password update
DescriptionAfter password update cannot login anymore.
The reason is a problem in function validateLogin in file phplist_auth.inc

The row
$encryptedPass = hash(ENCRYPTION_ALGO,$password); //row 15
is not compatible with the row

$SQLquery=sprintf("update %s set password='%s', passwordchanged=now() where loginname = '%s';", $GLOBALS['tables']['admin'], md5($p1), $admin); //row 69

from login.php file

The password is stored in the DB with md5, and later compared with the plain password (after the hash) form the login screen

The solution is to give to the function the password with md5 applied (row 249 in index.php) or to change the row to:

$encryptedPass = hash(ENCRYPTION_ALGO,md5($password));
Steps To Reproduce-- go to login screen
-- fill in the email for forgotten password
-- use the received link to open the update password dialog
-- update the password
-- try to login
Login will be unsoccessful
-- change the code as described above
Login will be successful.
TagsNo tags attached.

Activities

michiel

28-05-13 10:42

manager   ~0052050


great find, thanks