Login fails after password change

Post a reply


This question is a means of preventing automated form submissions by spambots.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
BBCode is ON
[img] is ON
[url] is ON
Smilies are ON
Topic review
   

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 1 MiB.

Expand view Topic review: Login fails after password change

Re: Login fails after password change

by axew3 » Tue Jan 14, 2020 10:38 pm

So, i after check all things about, and i see all goes fine, until a password do not contain a character (for example) like "
"^K@rMtm5Pt%&""""\k5YYaDPO8xVl(Q

please update to

Code: Select all

== Changelog ==

= 2.1.0 =
*Release Date - 14 Gen, 2020*
* Fix: passwords hashing and password check flow, to be compatible between new phpBB3 3.3.0 and previsous 3.2 versions
* Fix: password containing special chars like " or may not allowed in WP like \ to be recognized and hashed correctly
* Add: phpBB 3.3.0 PASSWORD_ARGON2I and PASSWORD_ARGON2ID support
* Minor fixes
just released!

Re: Login fails after password change

by axew3 » Tue Jan 14, 2020 11:29 am

P.s

about the password fix, to be clear, still the code isn't perfect, but normally will work.
When will not work?
When an hash will present chars sequence like this into string:
$2y$10$KVxgz$argon2i.sYBz2ffHPU..6ISD2.KcA6gIseKv4cKe...
due to this:
if( strpos($hash,'$argon2i') !== false ){
the sequence
$argon2i
could be present into an hash as part of it, and strpos used like this, search for this chars sequence, despite it is at BEGIN of the string OR NOT
$argon2i$v=19$m=1024,t=2,p=2$em4yaWRMWmdjRzFkUkVXaQ$TjPDZZt2peE+5uLuYscob7CA2ZgDFRYKJQs0Z80f7XM
we suppose can be very rare but can happen that an hash present sequence like the
$argon2i as part of it and NOT at the start. 1 into 1 million? Do not know, in this case the hash recognition will fail.
I only know it need to be resolved just: checking that the string is at begin of the string (easy!) or using native php function, we'll see

Re: Login fails after password change

by axew3 » Tue Jan 14, 2020 11:10 am

Released 2.0.9

Code: Select all

== Changelog ==

= 2.0.9 =
*Release Date - 14 Gen, 2020*
* Fix: (reported bug) password check in WordPress fail, if password change done by user in phpBB profile
* Minor Fix: page-forum.php to correctly set the targetOrigin value
* Minor Fix: page-forum.php -> to have Template Forum as template option when creating blank page in WordPress, and installed WP theme let choose between different templates to create a page. The pae Forums will be available to choose, and let work fit the template with no problems on layout. See: https://www.axew3.com/w3/2019/12/phpbb-wordpress-template-integration-iframe-v4/
* Note that also the iframe overall_footer.html v4 code has been updated to fix two issues (most important: correctly reposition iframe in certain conditions)

Re: Login fails after password change

by doh » Tue Jan 14, 2020 10:55 am

Thanks for fast response!
Modify fixed the problem.

Re: Login fails after password change

by axew3 » Tue Jan 14, 2020 10:42 am

The new plugin version is on release to fix this, so the
function wp_check_password($password, $hash, $user_id) { into wp_w3all.php file,
will be switched (at moment but the function will be totally rewrite, even if it work fine as will be now) to this:

Code: Select all

function wp_check_password($password, $hash, $user_id) {
   global $wpdb,$wp_hasher;
      
   $password = trim($password);
   
   if( $user_id < 1 ){ return; }
 
    $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others
     $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
     $wpu = $wpdb->get_row("SELECT * FROM $wpu_db_utab WHERE ID = '".$user_id."'");
 if(!empty($wpu)){
   $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_login, $is_phpbb_admin);
   
	 if ( $changed !== false ){ 
      $hash = $changed;
    }
	 	 
	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }
 
  if( strpos($hash,'$argon2i') !== false ){
  $check = password_verify($password, $hash);
  $HArgon2i = true;
 }
 
 if ( !isset($check) OR $check !== true && !isset($HArgon2i) ){ // md5 check failed or not fired above ...
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . WPINC . '/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, true);
	}
	
    $check = $wp_hasher->CheckPassword($password, $hash); // WP check
  }

     if ($check !== true && strlen($hash) > 32 && !isset($HArgon2i)){ // Wp check failed ... check that isn't an md5 at this point before to follow or get PHP Fatal error in ... addons/bcrypt/bcrypt.php:111
       require_once( WPW3ALL_PLUGIN_DIR . 'addons/bcrypt/bcrypt.php');
       $password = htmlspecialchars($password);
       $ck = new w3_Bcrypt();
       $check = $ck->checkPassword($password, $hash);
     }
     
     if ($check === true){
     	if($wpu){
     	
     	  $phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu); 
     	  define("PHPBBCOOKIERELEASED", true); // then the session will be set on_login hook, if this filter bypassed
      } else {
           $check = false;
        }
     } 
 
	   return apply_filters( 'check_password', $check, $password, $hash, $user_id );
} else {
     	return apply_filters( 'check_password', false, $password, $hash, $user_id );
     }
}

endif;

Re: Login fails after password change

by axew3 » Tue Jan 14, 2020 10:23 am

OK! here we go ...
The plugin will be released within today to fix this, and really minor fixes.
Still this way, the code will thrown php error notice, that in non debug you'll not see, if passed password will be wrong.
The complete code is coming in minutes, and the release of the plugin also

To fix this problem, the most short way is this:

OPEN wp_w3all.php and where this code ( into function function wp_check_password($password, $hash, $user_id) { )

Code: Select all

	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }
IMMEDIATELY after, ADD:

Code: Select all

 $check = password_verify($password, $hash);
thank for the report, follow if you find out bugs please!

Top