Author Topic: SMF Login vulnerability: Change your passwords (Read 22014 times)

Badspot · July 14, 2018, 02:42:38 PM

Quote from: joe411 on July 14, 2018, 10:40:35 AM

Damn, does it really not salt hashed passwords? SMF is worse than I thought.

To be fair, it sort of does. There is a password_salt field which is not used for salting the password, but is used as part of the login cookie and changes every time you log in. The passwd field itself is sha1(username + password). Why they did not at least switch to the built in password_hash php function for smf 2.x remains a mystery.

Of course talk of secure hashing is academic when you can just walk up to the server and brute force any password using the un-logged, un-rate-limited, ssi_checkPassword function which existed for years as part of smf 1.1

Ad Bot · Advertisement

Badspot · July 14, 2018, 02:51:25 PM

Quote from: Ceist on July 14, 2018, 12:36:58 PM

i cant change my password because i lost the privilege to edit my profile.

How about now?

Edd Eddington · July 14, 2018, 03:30:35 PM

badspot

Ceist · July 14, 2018, 03:54:54 PM

Quote from: Badspot on July 14, 2018, 02:51:25 PM

How about now?

works now, thanks

datiel12 · July 14, 2018, 04:13:07 PM

Quote from: Edd Eddington on July 14, 2018, 03:30:35 PM

badspot

badspot

Sentry · July 14, 2018, 05:12:54 PM

When can we expect to get a forum theme?

crazies alt · July 14, 2018, 08:31:34 PM

whats the new max avatar file size? could you increase the attachment file size or will that just make the servers cost more?

skill4life · July 14, 2018, 09:21:30 PM

Quote from: Badspot on July 14, 2018, 02:51:25 PM

How about now?

yee its there, thanks dad

Roul� · July 14, 2018, 11:01:36 PM

Old accounts are 'deactivated' and if you send an activation letter, you get this

Squib · July 14, 2018, 11:42:18 PM

"""Team"""

mctwist · July 15, 2018, 02:13:46 AM

Quote from: Badspot on July 14, 2018, 02:42:38 PM

To be fair, it sort of does. There is a password_salt field which is not used for salting the password, but is used as part of the login cookie and changes every time you log in. The passwd field itself is sha1(username + password). Why they did not at least switch to the built in password_hash php function for smf 2.x remains a mystery.

I haven't read the source of SMF, but shouldn't it be quite easy to add an extra field in the DB and each time you log in you do the following pseudo code:

Code: [Select]

if (new field is not empty) then
    if (password_verify with new field) then
        logged in
    else
        invalid login
    end
else
    if (sha1 password verify with old field) then
        update new field with password_hash with retrieved password
        logged in
    else
        invalid login
    end
end

It sounds simple, but feel free to tear it apart.

Ceist · July 15, 2018, 02:14:30 AM

Quote from: Squib on July 14, 2018, 11:42:18 PM

"""Team"""

Badspot has multiple personality disorder

RTBARCHIVE · July 15, 2018, 02:17:23 AM

Quote from: Squib on July 14, 2018, 11:42:18 PM

"""Team"""

badspot administrates, rotondo moderates, and kompressor just looks cool
perfect team

Conan · July 15, 2018, 03:38:04 AM

kompressor isnt even a forum admin, ephi was the only other one afaik and he left years ago

Badspot · July 15, 2018, 04:55:12 AM

Quote from: Roul� on July 14, 2018, 11:01:36 PM

Old accounts are 'deactivated' and if you send an activation letter, you get this
https://i.imgur.com/Go1ZdIm.png

Welp, the activation codes don't work the same way as the password recovery codes, even though they use the same field in the database. Trying again.