Login fails after password change

[doh]

Hi,

I'm having problem with password change via phpBB and I couldn't find any information about it. Problem occurs when user change password from phpBB. After password change user can login in to phpBB but login in to Wordpress fails with new and old password. Before password change login works for both.

What I'm missing?

[axew3]

checking ...

[axew3]

You miss nothing, phpBB 3.3.0 add something:

Code: Select all

Argon2i and Argon2id password hashing - Argon2i (on PHP 7.2) and Argon2id (PHP >= 7.3) are supported

checking to resolve asap!

[axew3]

OK! here we go ...
The plugin will be released within today to fix this, and really minor fixes.
Still this way, the code will thrown php error notice, that in non debug you'll not see, if passed password will be wrong.
The complete code is coming in minutes, and the release of the plugin also

To fix this problem, the most short way is this:

OPEN wp_w3all.php and where this code ( into function function wp_check_password($password, $hash, $user_id) { )

Code: Select all

	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }

IMMEDIATELY after, ADD:

Code: Select all

 $check = password_verify($password, $hash);

thank for the report, follow if you find out bugs please!

[axew3]

The new plugin version is on release to fix this, so the
function wp_check_password($password, $hash, $user_id) { into wp_w3all.php file,
will be switched (at moment but the function will be totally rewrite, even if it work fine as will be now) to this:

Code: Select all

function wp_check_password($password, $hash, $user_id) {
   global $wpdb,$wp_hasher;
      
   $password = trim($password);
   
   if( $user_id < 1 ){ return; }
 
    $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others
     $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
     $wpu = $wpdb->get_row("SELECT * FROM $wpu_db_utab WHERE ID = '".$user_id."'");
 if(!empty($wpu)){
   $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_login, $is_phpbb_admin);
   
	 if ( $changed !== false ){ 
      $hash = $changed;
    }
	 	 
	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }
 
  if( strpos($hash,'$argon2i') !== false ){
  $check = password_verify($password, $hash);
  $HArgon2i = true;
 }
 
 if ( !isset($check) OR $check !== true && !isset($HArgon2i) ){ // md5 check failed or not fired above ...
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . WPINC . '/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, true);
	}
	
    $check = $wp_hasher->CheckPassword($password, $hash); // WP check
  }

     if ($check !== true && strlen($hash) > 32 && !isset($HArgon2i)){ // Wp check failed ... check that isn't an md5 at this point before to follow or get PHP Fatal error in ... addons/bcrypt/bcrypt.php:111
       require_once( WPW3ALL_PLUGIN_DIR . 'addons/bcrypt/bcrypt.php');
       $password = htmlspecialchars($password);
       $ck = new w3_Bcrypt();
       $check = $ck->checkPassword($password, $hash);
     }
     
     if ($check === true){
     	if($wpu){
     	
     	  $phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu); 
     	  define("PHPBBCOOKIERELEASED", true); // then the session will be set on_login hook, if this filter bypassed
      } else {
           $check = false;
        }
     } 
 
	   return apply_filters( 'check_password', $check, $password, $hash, $user_id );
} else {
     	return apply_filters( 'check_password', false, $password, $hash, $user_id );
     }
}

endif;

[doh]

Thanks for fast response!
Modify fixed the problem.