#3 adding vBulletin style password encryption

closed-rejected
Jerry Stuckle
None
5
2005-02-21
2005-02-14
Darix
No

hi,

i needed to authenticate against vBulletin3.
i found the following informations:

$user['password'] = md5(md5($password) . $salt);

the attached patch adds that encryption type to
mod_auth_mysql 2.8.1.

i attached 2 versions:

mod_auth_mysql.c.vbmd5-wo_whitespacefixes.patch:
contains only the needed changes to the code. for
easier reviewing.

mod_auth_mysql.c.vbmd5.patch:
removes some trailing white spaces.

i tested the module on my server against apache 2.0.53,
mysql 4.0.15, vB 3.0.6.

Discussion

  • Darix
    Darix
    2005-02-14

    tar ball of the patches

     
    Attachments
  • Jerry Stuckle
    Jerry Stuckle
    2005-02-15

    • assigned_to: nobody --> jstuckle
     
  • Jerry Stuckle
    Jerry Stuckle
    2005-02-15

    Logged In: YES
    user_id=1049703

    Looking at the suggested patch.

     
  • Jerry Stuckle
    Jerry Stuckle
    2005-02-21

    Logged In: YES
    user_id=1049703

    We looked at this.

    VBulletin is using a non-standard encryption mechanism. The
    sequence is:

    1. Take the MD5 hash of the password
    2. Concatenate a salt string to the hashed password
    3. Take the MD5 hash of the new value.

    We try to support all standard hash password hash/encryption
    mechanisms.

    However, there are an almost unlimited number of
    non-standard variations floating around. We don't think
    it's reasonable to attempt to support variations defined by
    one program. Rather, that program should be encouraged to
    use standardized methods of encryption.

    Sorry, we won't be implementing this change, although the
    newer format in Version 2.9.0 should make it easier for you
    to do so if you wish.

    We will leave this open for two weeks to give others a
    chance to respond.

    Jerry

     
  • Jerry Stuckle
    Jerry Stuckle
    2005-02-21

    • status: open --> closed-rejected