Can someone link me to the fix where people can't hash passwords of users?
Because this is possible with the regular RevCMS version.
Printable View
Can someone link me to the fix where people can't hash passwords of users?
Because this is possible with the regular RevCMS version.
Well RevCMS currently uses just MD5 encryption. You could make a simple test when they login , now this is pseudo code so do not just copy and paste this but it would look something like this:
The Goal Of This:Code:$test = mysql_query("SELECT password FROM users WHERE username = '".$postedUsername."' LIMIT 1");
if(MD5($postedPass) == $test['password']){
$newPass = SHA1($postedUsername . MD5($postedPass));
mysql_query("UPDATE users SET password = '".$newPass."';
//Login
}else if(SHA1($postedUsername . MD5($postedPass) == $test['password']){
//Login
}else{
//Incorrect Login
}
While users can still login, every time they login their password will still be changed in the background to a more secure (There are still better options then this...) password. But I recommend fixing this up, because I just coded this in 2 minutes and it's not the best :) Maybe someone will reply and fix my code to help him out.
No. You are mistaken on your question. There may be an exploit in some revcms themes where you can get access to the hash password but that does not mean there is an exploit with the passwords. Password encryption in MD5 is not secure and can easily be dehashed from online databases which is the problem with revcms.
uuuuuuuuuuuuuuuuup