Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Bridge Manager emergency recovery  (Read 4770 times)

0 Members and 1 Guest are viewing this topic.

Nibbler

  • Guest
Bridge Manager emergency recovery
« on: July 01, 2005, 03:54:53 pm »

Isn't letting me disable the bridge, I suspect it does not support md5 passwords.
« Last Edit: July 04, 2005, 11:45:14 pm by Nibbler »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Bridge Manager emergency recovery
« Reply #1 on: July 02, 2005, 11:45:45 am »

It doesn't, must have been forgotten when MD5-encryption was introduced. Volunteers?
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Bridge Manager emergency recovery
« Reply #2 on: July 04, 2005, 12:15:24 am »

I've painted myself in that corner once or twice, I had to use phpmyadmin and reset the config var.

What exactly do you want to happen to what files? I'll check into it.
Logged

Nibbler

  • Guest
Re: Bridge Manager emergency recovery
« Reply #3 on: July 04, 2005, 12:47:29 am »

This bit:

Code: [Select]
$temp_user_table = $CONFIG['TABLE_PREFIX'].'users';
        $results = cpg_db_query("SELECT user_id, user_name, user_password FROM $temp_user_table WHERE user_name = '" . addslashes($_POST['username']) . "' AND BINARY user_password = '" . addslashes($_POST['password']) . "' AND user_active = 'YES' AND user_group = '1'");
       

Needs to be modified to check if md5 passwords are enabled and hash the entered password if so.
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Bridge Manager emergency recovery
« Reply #4 on: July 04, 2005, 06:18:55 am »

There also appears to be a problem if you are missing some of the bridged tables.

You can't get bridgemanager to run at all. It dies with:

Code: [Select]
While executing query "SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as  priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (1)" on 0

mySQL error: Table 'smf.cpg14x_usergroups' doesn't exist

I believe it's because calling pageheader starts incuding all of the coppermine stuff, I'm thinking we need to separate bridgemanager a little bit more from the main of coppermine.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Bridge Manager emergency recovery
« Reply #5 on: July 04, 2005, 06:49:35 am »

No problem with that: as the bridge manager is only visible for admin only I could well live with it only using the simple UI of the installer and update.
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Bridge Manager emergency recovery
« Reply #6 on: July 04, 2005, 10:44:42 pm »

To fix the missing tables problem from a botched bridge setup I set it to always run bridge manager un-bridged by editing this in init.inc.php.

Code: [Select]
// Set UDB_INTEGRATION if enabled in admin
if ($CONFIG['bridge_enable'] == 1 && !defined('BRIDGEMGR_PHP')) {
    $BRIDGE = cpg_get_bridge_db_values();
} else {

To make bridgemanager-recovery honor encrypted passwords I added/modified the following in bridgemanager.php:
Code: [Select]
// Check if encrypted passwords are enabled
        if ($CONFIG['enable_encrypted_passwords']) {
                $encpassword = md5(addslashes($_POST['password']));
        } else {
                $encpassword = addslashes($_POST['password']);
        }

        $results = cpg_db_query("SELECT user_id, user_name, user_password FROM $temp_user_table WHERE user_name = '" . addslashes($_POST['username']) . "' AND BINARY user_password = '" . $encpassword . "' AND user_active = 'YES' AND user_group = '1'");
        if (mysql_num_rows($results)) {
            $retrieved_data = mysql_fetch_array($results);
        }
        if ($retrieved_data['user_name'] == $_POST['username'] && $retrieved_data['user_password'] == $encpassword && $retrieved_data['user_name'] != '' ) {


Fixes committed, can someone verify it works as expected?
Logged

Nibbler

  • Guest
Re: Bridge Manager emergency recovery
« Reply #7 on: July 04, 2005, 11:41:13 pm »

Works fine now, thanks.
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.