Radicore Forum: Bug Reports » login fails after upgrade to ver 1.42

Home » RADICORE development » Bug Reports » login fails after upgrade to ver 1.42 (if passwords stored as plain text (workround details outlined))

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Sun, 28 December 2008 16:25

David Lee
Messages: 44
Registered: June 2006

Member

I upgraded a system that stored passwords as plain text Sad

, including updating the menu database and table. After this, I could not log in.

I think that the update to the menu database reset the password storage to encrypted. I have solved my problem by

Edit the config.inc file to output all sql queries
Try logging in as a user - this fails
extract the encrypted password from the saved sql query
replace the plain text password in the menu database with the encrypted password, using, in my case phpmyadmin

This needs repeating for all users with plain text passwords

Generally, the best option is do not use plain text passwords. As this is a one-time problem, I expect to use the work round rather than have a patch issued.

However, does my workround expose a security weakness if logging of sql queries are enabled?

Report message to a moderator

Re: login fails after upgrade to ver 1.42 [message #1928 is a reply to message #1927]

Mon, 29 December 2008 06:22

AJM
Messages: 2347
Registered: April 2006
Location: Surrey, UK

Senior Member

There was no file in the 1.42 upgrade which reset the value of PSWD_ENCRYPT in the MNU_CONTROL table. You may have reloaded the whole of 'radicore\menu\sql\mysql\menu-data.sql', but this would be a mistake as this is only supposed to be used for new installations, not upgrades.

You could have solved this problem with a single SQL update by changing the value of PSWD_ENCRYPT instead of going through each user one at a time.

It is generally considered bad practice to store plain text passwords in your database, so what is your reason for doing so? This is far more of a security weakness than exposing encrypted passwords when logging sql queries.

Tony Marston
http://www.tonymarston.net
http://www.radicore.org

Report message to a moderator

Re: login fails after upgrade to ver 1.42 [message #1929 is a reply to message #1927]

Mon, 29 December 2008 15:56

David Lee
Messages: 44
Registered: June 2006

Member

Thanks for the response. Plain text passwords was a test setting that did not get reset, and the smiley Crying or Very Sad

in the OP was intended to convey that was bad practice. I don't understand how the upgrade caused it, but have no other explanation of how it could have happened, so I guess it can only be recorded as finger trouble.
My knowledge of which variables control RADICORE is limited, so I am not surprised that there was better ways to sort it out. Thinking security, I realised that my method requires quite a lot of unusual privileges, so was unlikely to be a security hazard on a well configured system.

Report message to a moderator