Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » RADICORE development » Bug Reports » login fails after upgrade to ver 1.42 (if passwords stored as plain text (workround details outlined))
login fails after upgrade to ver 1.42 [message #1927] Sun, 28 December 2008 16:25 Go to next message
David Lee is currently offline  David Lee
Messages: 44
Registered: June 2006
Member
I upgraded a system that stored passwords as plain text Sad , including updating the menu database and table. After this, I could not log in.

I think that the update to the menu database reset the password storage to encrypted. I have solved my problem by


  • Edit the config.inc file to output all sql queries
  • Try logging in as a user - this fails
  • extract the encrypted password from the saved sql query
  • replace the plain text password in the menu database with the encrypted password, using, in my case phpmyadmin


This needs repeating for all users with plain text passwords

Generally, the best option is do not use plain text passwords. As this is a one-time problem, I expect to use the work round rather than have a patch issued.

However, does my workround expose a security weakness if logging of sql queries are enabled?
Re: login fails after upgrade to ver 1.42 [message #1928 is a reply to message #1927] Mon, 29 December 2008 06:22 Go to previous messageGo to next message
AJM is currently offline  AJM
Messages: 2350
Registered: April 2006
Location: Surrey, UK
Senior Member
There was no file in the 1.42 upgrade which reset the value of PSWD_ENCRYPT in the MNU_CONTROL table. You may have reloaded the whole of 'radicore\menu\sql\mysql\menu-data.sql', but this would be a mistake as this is only supposed to be used for new installations, not upgrades.

You could have solved this problem with a single SQL update by changing the value of PSWD_ENCRYPT instead of going through each user one at a time.

It is generally considered bad practice to store plain text passwords in your database, so what is your reason for doing so? This is far more of a security weakness than exposing encrypted passwords when logging sql queries.


Re: login fails after upgrade to ver 1.42 [message #1929 is a reply to message #1927] Mon, 29 December 2008 15:56 Go to previous messageGo to next message
David Lee is currently offline  David Lee
Messages: 44
Registered: June 2006
Member
Thanks for the response. Plain text passwords was a test setting that did not get reset, and the smiley Crying or Very Sad in the OP was intended to convey that was bad practice. I don't understand how the upgrade caused it, but have no other explanation of how it could have happened, so I guess it can only be recorded as finger trouble.
My knowledge of which variables control RADICORE is limited, so I am not surprised that there was better ways to sort it out. Thinking security, I realised that my method requires quite a lot of unusual privileges, so was unlikely to be a security hazard on a well configured system.
Re: login fails after upgrade to ver 1.42 [message #1930 is a reply to message #1929] Tue, 30 December 2008 05:08 Go to previous message
AJM is currently offline  AJM
Messages: 2350
Registered: April 2006
Location: Surrey, UK
Senior Member
David Lee wrote on Mon, 29 December 2008 20:56

My knowledge of which variables control RADICORE is limited...

There are only two places where configuration parameters are stored:

  • in the MNU_CONTROL table, as shown in screen Menu Control Data
  • in the CONFIG.INC file


Previous Topic: Problem extending sql_from
Next Topic: Problem in implementing FAQ 81
Goto Forum:
  


Current Time: Mon Jun 17 19:47:56 EDT 2024

Total time taken to generate the page: 0.01239 seconds