Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Passwords  (Read 4045 times)

0 Members and 1 Guest are viewing this topic.

Chefkochx

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Passwords
« on: January 22, 2004, 03:14:50 pm »

If got a question to the bridges.
in my Coppermine tables (standalone) I can see all passwords of users.
But when I look in my phpnuke -> nuke_users, the passwords are encrypted.
My question is: Is it possible that Coppermine has the ability, to decode the password lines of phpnuke? I can't belive it that CPM can use nuke_users
Can you help me?

Chefkoch
Logged

Terragen

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Passwords
« Reply #1 on: January 22, 2004, 03:26:39 pm »

Coppermine stores passwords in plaintext - nuke does not.

Coppermine cannot (nor does it) decrypt passwords - it simply does not encrypt them which is why you can read them.

Here's a way to modify the code to encrypt the passwords - makes it a bit more secure.

http://forum.coppermine-gallery.net/index.php?topic=2179
Logged

Chefkochx

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Passwords
« Reply #2 on: January 22, 2004, 03:36:43 pm »

cool
I will check it
Is it the same encryption like in phpnuke
I will combine my phpnuke on one space and coppermine on another space. So I have to add my "new users" manually in the user table in CPM Standalone. So problem is that i can`t read the passwords of my users because they are encrypted :-(

besides
is it possible to decrypt all passwords of my users in phpnuke?
Logged

Terragen

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Passwords
« Reply #3 on: January 22, 2004, 05:21:00 pm »

Quote from: "Chefkochx"
cool
I will check it
Is it the same encryption like in phpnuke
I will combine my phpnuke on one space and coppermine on another space. So I have to add my "new users" manually in the user table in CPM Standalone. So problem is that i can`t read the passwords of my users because they are encrypted :-(


Well I looked at phpnuke about a year ago but not in too much detail. It probably uses MD5 encryption (like the link I posted) so they might be compatible but you'd have to try it (just apply the hack and then try putting a phpnuke pass in there and logging on) or ask someone who knows phpnuke better.

Quote

besides
is it possible to decrypt all passwords of my users in phpnuke?


Wouldn't that defeat the purpose of encrypting them in the first place? ;)



The theory is that instead of knowing the password you take a password and encrypt it and compare the 2. If they match then its the right password - but this way if someone compromises your database they can't really steal any user's passwords (and prevents unscrupulous admins from trying to use someone's password to get their mail in the case where the user uses the same password for everything).
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Passwords
« Reply #4 on: January 22, 2004, 05:58:05 pm »

Terragen's right: MD5 is a "one-way algorythm": it "converts" a plain-text (password) string to some encrypted string, so you can compare the encrypted bits, but there's no "way back" - you can't decrypt MD5-passwords.

GauGau
Logged

Chefkochx

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 25
Passwords
« Reply #5 on: January 22, 2004, 09:28:12 pm »

aha
I've testet the MD5 Passwords on my CPM and I've seen that it was encrypted very fasten. When CPM can encrypt passwords so fast, then it must exist a programm which can it decrypt in the same speed (else user have to wait very long by there login). I think this would be interesting.
Logged

Nibbler

  • Guest
Passwords
« Reply #6 on: January 22, 2004, 09:49:31 pm »

the passwords are *never* decrypted, read what the people above just said  :roll:
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Passwords
« Reply #7 on: January 23, 2004, 01:02:41 am »

@Nibbler: Thanks :D

@Chefkochx: hiermit erhälst Du die "gelbe Karte" :x (*gaugau utters warning in German*)...

GauGau
Logged
Pages: [1]   Go Up
 

Page created in 0.026 seconds with 19 queries.