View Issue Details

IDProjectCategoryView StatusLast Update
0016794phpList 3 applicationAuthentication Systempublic28-05-13 13:54
Reporterdymitar Assigned To 
Status resolvedResolutionfixed 
Product Version2.11.9 
Target Version2.11.10Fixed in Version2.11.10 
Summary0016794: Cannot login after password update
DescriptionAfter password update cannot login anymore.
The reason is a problem in function validateLogin in file

The row
$encryptedPass = hash(ENCRYPTION_ALGO,$password); //row 15
is not compatible with the row

$SQLquery=sprintf("update %s set password='%s', passwordchanged=now() where loginname = '%s';", $GLOBALS['tables']['admin'], md5($p1), $admin); //row 69

from login.php file

The password is stored in the DB with md5, and later compared with the plain password (after the hash) form the login screen

The solution is to give to the function the password with md5 applied (row 249 in index.php) or to change the row to:

$encryptedPass = hash(ENCRYPTION_ALGO,md5($password));
Steps To Reproduce-- go to login screen
-- fill in the email for forgotten password
-- use the received link to open the update password dialog
-- update the password
-- try to login
Login will be unsoccessful
-- change the code as described above
Login will be successful.
TagsNo tags attached.



28-05-13 11:42

administrator   ~0052050

great find, thanks