Problem with MD5

Applications Control
#21

[QUOTE=Gerd Dietrich;34542]aka,

crying so loud will not save the problem !!

BTW i never had this problem and i added fields in my user table after the first creation as my customer wants more fields.

What i did to prevent the md5 problem was, that in the edit mode, the user password could not be changed, i made a new form only for password updates.

Gerd[/QUOTE]

so why the password cannot be changed in EDIT MODE ?
There is nothing special about that. If I would want to read the password from existing record then decrypt it it will not work of course because MD5 is “one way street” although changing the password and overriding existing string with new encryption should not be a problem, so I see not reason for your statement (enlighten me if I’m wrong).

the MD5 method should work independent of any other conditions and when valled should result new string with encrypted password - PERIOD!

#22

[QUOTE=aka;34739]
the MD5 method should work independent of any other conditions and when valled should result new string with encrypted password - PERIOD![/QUOTE]

it should, but it doesn’t. one more small comment, why in the change password application that user is using, works fine!?

#23

exactly, this is what I was going to point out as well! that means there is something preventing using this method in a regular form edit mode. I just tested this today again (after few SC8 updated from the net) but still having the same issue. I’m basically stuck with uploading the project to the server because I have no way to control/change user passwords *unless I skip using MD5 method).
There is definitely some bug and this must be resolved with NetMake ASAP, because it basically prevents us from using project security features.

Arthur

#24

ok a workaround could be to remove the user and recreate it, tested and works ok, but that still an issue needs to be resolved ASAP, John is around, hopefully he notice this post and take an action

#25

Arthur,

here is the code onBeforeInsert of edit_users (form)


if({pswd} != {confirm_pswd})
{
	sc_error_message({lang_error_pswd});
	sc_error_exit();
}
{pswd} = md5({pswd});

but in user_change_password (which is working ok) (control)

onValidate


if( (!isset({old_pswd}) || empty({old_pswd}) ) && (!isset([act_code]) || empty([act_code]) ) )
{
	sc_error_message({lang_error_old_pswd});
	sc_error_exit();	
}
if({pswd} != {confirm_pswd})
{
	sc_error_message({lang_error_pswd});
	sc_error_exit();
}

$spswd = sc_sql_injection(md5({pswd}));
$sold_pswd = ( isset([act_code]) && !empty([act_code]) ) ? "activation_code= ". sc_sql_injection([act_code]) : " pswd = ". sc_sql_injection(md5({old_pswd}));
unset([act_code]);


$sql = "SELECT count(*) FROM sec_users WHERE ". $sold_pswd ." AND login = '". [usr_login] . "'";
sc_lookup(rs, $sql);

if({rs} === FALSE || {rs}[0][0] == 0)
{
	sc_error_message({lang_error_old_pswd});
	sc_error_exit();	
}

and onValidateSuccess


	$sql = "UPDATE sec_users SET pswd = ".($spswd).", activation_code = '' WHERE login = '". [usr_login] . "'";
	sc_exec_sql($sql);
	sc_log_add('Change Password', [usr_login] ." ". {lang_change_pswd});
	[act_code] = '';
	sc_redir('sec_login', "", "_parent");

there is something wrong in the first form of admin edit_users! should it be onBeforeInsert?! where is the command to sql to make it updated in db!?

#26

Hi,
as I can see, MD5 works.
The problem is that events in the form seems to be “disabled”, so, all your MD5 instruction are never executed.

Try that in the onBeforeInsert of the app_form_add_users

if({pswd} != {confirm_pswd})
{
sc_error_message({lang_error_pswd});
sc_error_exit();
}
{pswd} = md5({pswd});
{confirm_pswd}=md5({confirm_pswd});
sc_error_message({psw});

Last line never executed and if you put different passwords, no messages also.

Sylvain

#27

Just a comment aside:

You are not supposed to use MD5 to secure passwords anymore (ik ik… then why netmake still uses it. bla bla bla) i can recommend to you to use the ones authorized by NIST

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

tho SHA-1 is not longer accepted =P.

try to use the php implementation of SHA512


hash('SHA512','The password you just got from the user') ;

Just remember that this means you will have to change the size of your password field… 256 is an accepted standard.

Regards

#28

hi sempai, wish you are doing well
i am not sure you read all the discussion before, see, this works fine in adding user, works fine with control (when user changes the password from his screen) but problem is when editing and updating the user password from the security module app it doesn’t actually change!

also i’m very interested in the SHA512, did you try it yourself!? is it that simple!? should be added to the project in the beginning or you can apply it to existing project

you are the man kafaecadm, hitting critical spots

#29

[QUOTE=kafecadm;34820]Just a comment aside:

You are not supposed to use MD5 to secure passwords anymore (ik ik… then why netmake still uses it. bla bla bla) i can recommend to you to use the ones authorized by NIST

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

tho SHA-1 is not longer accepted =P.

try to use the php implementation of SHA512


hash('SHA512','The password you just got from the user') ;

Just remember that this means you will have to change the size of your password field… 256 is an accepted standard.

Regards[/QUOTE]

this thread is not about SHA or which encryption method should be used. If you would like to discuss it, feel free to start another topic. This is about making MD5 working in SC in general. If you have any valuable input I will be happy to see it, otherwise please do not streer this discussion into another avenue. Thank you

#30

[QUOTE=MikeDE;34808]Arthur,

here is the code onBeforeInsert of edit_users (form)


if({pswd} != {confirm_pswd})
{
	sc_error_message({lang_error_pswd});
	sc_error_exit();
}
{pswd} = md5({pswd});

yes, this obviously is missing writing to the database SQL statement

#31

[QUOTE=aka;34825][QUOTE=MikeDE;34808]Arthur,

here is the code onBeforeInsert of edit_users (form)


if({pswd} != {confirm_pswd})
{
	sc_error_message({lang_error_pswd});
	sc_error_exit();
}
{pswd} = md5({pswd});

yes, this obviously is missing writing to the database SQL statement[/QUOTE]

that is what i said, perhaps this is the issue of not updating the password when accessed from admin_security apps! can anybody confirm this?

#32

[QUOTE=MikeDE;34823]hi sempai, wish you are doing well
i am not sure you read all the discussion before, see, this works fine in adding user, works fine with control (when user changes the password from his screen) but problem is when editing and updating the user password from the security module app it doesn’t actually change!

also i’m very interested in the SHA512, did you try it yourself!? is it that simple!? should be added to the project in the beginning or you can apply it to existing project

you are the man kafaecadm, hitting critical spots[/QUOTE]

@aka As I said… “comment aside”

@MikeDE yes i’ve tried it and i’ve implemented it.

Regards

#33

OK, I recreated update form from scratch and now the password field seems to work OK, along with MD5. Not sure what it was but it seems to be fixed.
Arthur

Security_Issue01.jpg

Security_Issue02.jpg

Security_Issue03.jpg

#34

sama chan senpai :smiley: :cool: :cool: :cool:

#35

[QUOTE=aka;34907]OK, I recreated update form from scratch and now the password field seems to work OK, along with MD5. Not sure what it was but it seems to be fixed.
Arthur[/QUOTE]

Artuhor, do you mean now you can change the password of the user from the sec_edit users!? what did you change? is it the code i posted earlier that is not sending the data to db?

#36

@aka
can you please tell us again how you manage to make the md5 thing work in the edit users field? i am trying since few hours and it is sending the password as free text to the database!! without encrypting it!

#37

okay, here is what i did
there is code of md5 in onBeforeInsert I copied it to onBeforeUpdate and seems working so far