Register Arama Bugünkü Mesajlar Tüm Forumu Okundu Say

Reply
 
Thread Tools
Changing vBulletin 4 its password hashing to use BCrypt
vB.Org Poster
vB.Org Poster has disabled reputation
Kayıt Tarihi: Jul 2018
Mesajlar: 298

Show Printable Version Email this Page
Makale: vBulletin 4 Makaleleri, yazan vB.Org Poster 10 Jul 2018, 10:07

This article has also been published at Changing vBulletin 4 its password hashing to use BCrypt | Technidev, my personal blog about security, exploits, development, etc.

Introduction
By default, vBulletin uses a very basic and easy to crack password hashing:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

With the GPU's of these days, it may be a matter of minutes to crack a password using a dictionary attack/rainbow tables.

Fortunately, it's very easy to change the password hashing. I will change the password hashing of vBulletin to use BCrypt, a much better algorithm. The password hashing will look like this at the end of this guide:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.


Requirements for this guide:
- Access to the FTP or permission to edit .php files on the server.
- PHP version of 5.5+ (we make use of the password_hash function)
- You must update all of the passwords in the current database.
- vBulletin 4.2.2 (this modification has been made on 4.2.2)
- Database access in the form of SSH/PHPMyAdmin or any other database manager tool

Create a backup of the files we are going to edit first so you can always restore it in case it goes wrong!

Step 1: modify password column type

First things first, we have to modify the type of the password column in the user table.
You can either do this in PHPMyAdmin by changing it to char(60) or by executing the following query:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.


Step 2: edit /includes/functions_login.php

Now let's modify the verify_authentication function in the /includes/functions_login.php file.
Look for:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

And replace it with:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

This function will, as the function name describes, very the authentication.


Step 3: edit /includes/class_dm_user.php

This file contains the verify_password and hash_password function which must be changed as well.
Look for the hash_password function:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

And replace it with:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Now look for the verify_password function:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

And replace it with:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

We have to modify this function since there's a check to see if the password matches the current username, which is not allowed by default.


Step 4: update all passwords in the user table

The only downside of this is that we have to update all passwords in the database.
But no worries, no one will have to change or update their password to make this work since we use the old password hashing in BCrypt.

Please make a backup of your database or user table before doing this so you can restore it in case it does not work as intended!

Create a file in the root of your forum and name it something like update_passwords.php. Contents of the file:

Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

This will update all of the current password hashes to use BCrypt.
In case the script timed out, just run it again or change the script execution timeout.


Step 5: verifying functionality

Now try to login onto your forum and see if that works, in case you get an incorrect username/password error, it means you did something wrong in this guide.
In case it works, try to update your password and relog to see if that part works as well.

I tested the login, registration, remember me checkbox and changing password function on a local test forum which seemed to work fine.

Support will be provided here (comment box). I'll answer the most basic questions here at vbulletin.org.
Views: 30
Reply With Quote
Reply

Thread Tools

Şunları Yapabilirsin
Yeni Konu Açmak
Konuya Cevap Yazmak
Eklenti Eklemek
Düzenleme Yapabilmek

Forum Atla


LD'de Yeni misin? Yardıma mı ihtiyacın var?

All times are GMT +3. The time now is 06:44.

Tasarım Özelliği | Genişlik: Geniş Renk: Changing vBulletin 4 its password hashing to use BCrypt Changing vBulletin 4 its password hashing to use BCrypt Changing vBulletin 4 its password hashing to use BCrypt Changing vBulletin 4 its password hashing to use BCrypt Changing vBulletin 4 its password hashing to use BCrypt