Lots of errors

[ave]

Hello,

I installed your plugin and it works great, without problems. However, I noticed strange errors in my error_log, seems that somebody is using your plugin to force his way through?

Code: Select all

[24-Apr-2017 12:20:13 UTC] PHP Fatal error:  Uncaught Exception: Unsupported hash format. in /home/mysite/public_html/wp-content/plugins/wp-w3all-phpbb-integration2/addons/bcrypt/bcrypt.php:111
Stack trace:
#0 /home/mysite/public_html/wp-content/plugins/wp-w3all-phpbb-integration2/addons/bcrypt/bcrypt.php(59): w3_Bcrypt::_validateIdentifier('$H$9xPJKaelb...')
#1 /home/mysite/public_html/wp-content/plugins/wp-w3all-phpbb-integration2/wp_w3all.php(488): w3_Bcrypt::checkPassword('123456', '$H$9xPJKaelb...')
#2 /home/mysite/public_html/wp-includes/user.php(162): wp_check_password('123456', '$H$9xPJKaelb...', 6)
#3 /home/mysite/public_html/wp-includes/class-wp-hook.php(298): wp_authenticate_username_password(Object(WP_User), 'matt32', '123456')
#4 /home/mysite/public_html/wp-includes/plugin.php(203): WP_Hook->apply_filters(NULL, Array)
#5 /home/mysite/public_html/wp-includes/pluggable.php(522): apply_filters('authenticate', NULL, 'matt32', '123456')
#6 /home/mysite/public_html/wp-includes/user.php(85): wp_authenticate('matt32', '123456')
#7 /h in /home/mysite/public_html/wp-content/plugins/wp-w3all-phpbb-integration2/addons/bcrypt/bcrypt.php on line 111

There are more than 1500 similar errors, all from yesterday and today, since I installed w3 plugin.

Thank you!

[axew3]

your phpBB i assume is 3.1 or better, and maybe is an old one updated? (where can be users with old hash format? (so i will take a look to definitively resolve this problem issue in case)) ...
it seem just this kind of error, an user have an old md5 pass stored into phpBB, or an hash not recognized by crypt class.
This problem can be easily resolved to force in case these users to reset passw and code to not lead to an error.
There is no strange char passed that let think to some other problem.
Looking as soon ...

[axew3]

find out the problem ... resolving, thank for the info!
No security fix needed: just a code fix.
Further more, md5 passwords are correctly recognized instead.
Fixing this as soon-

[axew3]

Fix to recognize old md5 style password of phpBB applied.
Now also old styles passwords are correctly passed for check into WP and no more errors about.
Substitute the file wp_w3all.php with the new one:
https://plugins.trac.wordpress.org/expo ... _w3all.php
wp_w3all 1.6.9 has just been patched to resolve definitively this issue.