phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017569phplist applicationInstallationpublic02-01-15 10:0006-07-15 18:04
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version3.0.10 
Target Version3.0.XFixed in Version3.2.0 
Summary0017569: Small config.php and extended config.php use different hash algorithms
DescriptionWhen trying to track a problem by switching between using the short config.php and the full config.php I found that I could not login as admin.

On investigation it appears that when you use the short config.php then phplist uses md5 as the hashing algorithm. Whereas the full config file explicitly states sha256 as the algorithm. So switching between them is going to be a problem.

This code in init.php line 191 sets the algorithm when both ENCRYPTPASSWORD and ENCRYPTION_ALGO are not defined, which is the case when using the small config file.

if (!defined("ENCRYPTPASSWORD")) {
  ## old method to encrypt, used to be with md5, keep like this for backward compat.
  if (!defined('ENCRYPTION_ALGO')) {
    define('ENCRYPTION_ALGO','md5');
  }
# define("ENCRYPTPASSWORD",0);
}

But I don't understand why this block is present and what the comment about backward compatibility means. That has been dealt with by the preceding code at line 177.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0055982)
michiel (manager)
24-03-15 13:47

ENCRYPTPASSWORD has been around longer than ENCRYPTION_ALGO

when ENCRYPTPASSWORD was there by itself, the hash was md5
then when ENCRYPTION_ALGO was introduced, this was defaulted to sha256 unless ENCRYPTPASSWORD was set.

But then later on the config file was reduced to make it simpler.

I guess it will depend on the history of the config file. Some of them go back many years.

Hmm, I'm not entirely sure how to resolve this. If someone has a config with ENCRYPTPASSWORD and therefore uses md5, if I default this now to sha256 things will stop working.

Probably adding the ENCRYPTION_ALGO to the small config will solve it for new installs, by setting it to sha256 there.
(0055983)
michiel (manager)
24-03-15 13:51

added to config.php


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker