phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016794phplist applicationAuthentication Systempublic28-05-13 09:4828-05-13 13:54
Reporterdymitar 
PrioritynormalSeverityblockReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.11.9 
Target Version2.11.10Fixed in Version2.11.10 
Summary0016794: Cannot login after password update
DescriptionAfter password update cannot login anymore.
The reason is a problem in function validateLogin in file phplist_auth.inc

The row
$encryptedPass = hash(ENCRYPTION_ALGO,$password); //row 15
is not compatible with the row

$SQLquery=sprintf("update %s set password='%s', passwordchanged=now() where loginname = '%s';", $GLOBALS['tables']['admin'], md5($p1), $admin); //row 69

from login.php file

The password is stored in the DB with md5, and later compared with the plain password (after the hash) form the login screen

The solution is to give to the function the password with md5 applied (row 249 in index.php) or to change the row to:

$encryptedPass = hash(ENCRYPTION_ALGO,md5($password));
Steps To Reproduce-- go to login screen
-- fill in the email for forgotten password
-- use the received link to open the update password dialog
-- update the password
-- try to login
Login will be unsoccessful
-- change the code as described above
Login will be successful.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0052050)
michiel (manager)
28-05-13 11:42


great find, thanks


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker