Password Reset Feature Not Working

matt6805

I found this really great directory skinning script called Relay: http://www.ecosmear.com/relay/. One thing that it's really missing is a forgot password feature, So I started writing a routine that allows users to reset their passwords. The passwords are generated using MD5, and from what I've read it would be impossible to decrypt this.

So there's a function within the app that does this:

function newPassword($current,$new){
 $query = "select * from $GLOBALS[tablePrefix]users where id=$_SESSION[userid] and password=md5(\"G8,rMzw6BrBApLU9z$current\")";
 $result = mysql_query($query);

 if(mysql_num_rows($result) == 1){
  logAction('newPassword',$_SESSION['user']);
  $pass = mysql_escape_string($_GET['pass']);
  $query = "update $GLOBALS[tablePrefix]users set `password`=md5(\"G8,rMzw6BrBApLU9$new\") where id=$_SESSION[userid]";
  $result = mysql_query($query)||die(mysql_error());
 }else{
  error("bad current password");
 }
}

I grabbed this bit of the code, and put it into a password reset page:

  $query = "update $GLOBALS[tablePrefix]users set `password`=md5(\"G8,rMzw6BrBApLU9$new_pass\") where email=$email";
  $result = mysql_query($query)||die(mysql_error());

Once the user fills out a simple form with their new password ($new_pass), this code runs. I changed some of the variables to grab from a simple form on the password reset page. I had to remove $_SESSION[userid] as the qualifying factor because no sessions been started yet. So, I used the supplied ID in place of that.

When I run this code, it appears to update the database as expected, and I get a random hash value for the new password. However, when I try to login with the new password I supplied, it doesn't work. I tried the same sequence of events by taking off the md5 encryption, so the passwords write to the database table as a plain string of text. I still can't login.

I think I'm very close to getting this working, but I can't figure out the last step to understand why I can't login with my new password. I hope I've given enough information so that someone can help out here. Any takers? Thanks!

Regards,
Matt

big_nerd

I just noticed something:

matt6805 wrote:

query = "select * from $GLOBALS[tablePrefix]users where id=$_SESSION[userid] and password=md5(\"G8,rMzw6BrBApLU9z$current\")";

and

matt6805 wrote:

 $query = "update $GLOBALS[tablePrefix]users set `password`=md5(\"G8,rMzw6BrBApLU9$new_pass\") where email=$email";
  $result = mysql_query($query)||die(mysql_error());

Look at the part that says : G8,rMzw6BrBApLU9z
Now look at the 2nd string: G8,rMzw6BrBApLU9

Do you notice how one is missing the "z" ?

That junk before hand is almost like an encryption salt, as there are websites out there which have large dictionaries already hashed in md5 that people can post the 'encrypted' (using this term loosely) and get the result.

With that being said, it is my thought that the string before the $new_pass, etc has to be exact!

make sure that you check the original script's code to see if there is actually a difference in that string (as you have pasted here) in this case, that one letter off will cause a completely different hash (or 'encryption').

otherwise, I recommend grabbing the user ID from the email, rather than updating BY email.

$query = "SELECT id FROM ".$GLOBALS[tablePrefix]users." WHERE `email` = '$email' ORDER BY id LIMIT 1";

This will grab the FIRST ID for the person with that e-mail. There may be other qualifying code like active/inactive if there is any chance of repeat e-mails.

Then take the "ID" response, and update using virtually same code (with the exception that it will be a grabbed it, verses a session) that the original author used.

Also try encasing the $email in single quotes, like:

$query = "update $GLOBALS[tablePrefix]users set `password`=md5(\"G8,rMzw6BrBApLU9$new_pass\") where `email`='$email'";
  $result = mysql_query($query)||die(mysql_error());

matt6805 wrote:
The passwords are generated using MD5, and from what I've read it would be impossible to decrypt this.

This is true, as it is not encryption it is actually a hash, however there are databases out there which have run md5 on various language dictionaries which they can make a comparison with.

This is why the script has that "extra" stuff before the actual password, it is being used almost like an encryption salt, rendering these sites pretty much useless.

matt6805

Ok, I went back and looked at the original source code, that 'z' must have fallen into the code from one of my many 'undo' ctrl + z commands 🙂

I removed the 'z' and ran the code again, but I still can't login. I also tried to remove the salt string so it looks like this:

$query = "UPDATE relay_users SET password=md5('$new_pass') WHERE email='$verify_address'";

Still no dice. The only place that I can effectively change a users login is on the admin backend panel. Changing the users password there seems to be controlled by this bit of code. It's part of a switch statement:

case "newPassword":
			if(isset($_GET['uid'],$_GET['pass'],$_GET['passconf']) && $_GET['pass'] == $_GET['passconf'] && $_GET['pass'] != ''){
				$pass = mysql_escape_string($_GET['pass']);
				$query = "update $GLOBALS[tablePrefix]users set `password`=md5(\"$key"."$pass\") where id=$options[uid]";
				#echo $query;
				$result = mysql_query($query)||die(mysql_error());
				header("location: index.php?page=manage&module=users&action=details&uid=$_GET[uid]");
			}else{
				error("The password you specified was blank or did not match");
			}

In the conig file, I found this variable:

$passwordKey = "08e1b6f4fcc35fd0a1c3ce1918a9ef77";

And on the admin side:

$key=$passwordKey;

so the password key is assigned to $key. Not sure if this has something to do with the salting?

I appreciate the help so far.

Regards,
Matt

big_nerd

matt6805,

I will try to download this thing since it looks pretty cool anyways. However my first thoughts, since what you've shown me now is considerably different from what you've tried, lets go back to step 1.

"update $GLOBALS[tablePrefix]users set `password`=md5(\"$key"."$pass\") where id=$options[uid]";

This is the one you need to worry about.

Try to get $key to get the same value as the admin side from the client side of your script, since this is obviously a key factor (no pun intended).

$id = user_id;
$pass = $new_password
$key = "08e1b6f4fcc35fd0a1c3ce1918a9ef77"; // (if that is the same from the admin, be sure to check EXACTLY)

"update {$GLOBALS[tablePrefix]}users set `password`=md5(\"$key"."$pass\") where id=$id";

Otherwise I will try to download / inspect the software when I can.

If you get nowhere within a couple days feel free to PM me, but keep trying here first, in case someone can help.

matt6805

Hey Big Nerd, I forgot to get back to you on this. Your suggestion above worked! I've just been busy and haven't had the chance to thank you! So thanks 🙂

Regards,
Matt