Login fails after password change

doh
Posts: 2
Joined: Tue Jan 14, 2020 9:34 am

Login fails after password change

Post by doh »

Hi,

I'm having problem with password change via phpBB and I couldn't find any information about it. Problem occurs when user change password from phpBB. After password change user can login in to phpBB but login in to Wordpress fails with new and old password. Before password change login works for both.

What I'm missing?

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

checking ...

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

You miss nothing, phpBB 3.3.0 add something:

Code: Select all

Argon2i and Argon2id password hashing - Argon2i (on PHP 7.2) and Argon2id (PHP >= 7.3) are supported
checking to resolve asap!

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

OK! here we go ...
The plugin will be released within today to fix this, and really minor fixes.
Still this way, the code will thrown php error notice, that in non debug you'll not see, if passed password will be wrong.
The complete code is coming in minutes, and the release of the plugin also

To fix this problem, the most short way is this:

OPEN wp_w3all.php and where this code ( into function function wp_check_password($password, $hash, $user_id) { )

Code: Select all

	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }
IMMEDIATELY after, ADD:

Code: Select all

 $check = password_verify($password, $hash);
thank for the report, follow if you find out bugs please!

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

The new plugin version is on release to fix this, so the
function wp_check_password($password, $hash, $user_id) { into wp_w3all.php file,
will be switched (at moment but the function will be totally rewrite, even if it work fine as will be now) to this:

Code: Select all

function wp_check_password($password, $hash, $user_id) {
   global $wpdb,$wp_hasher;
      
   $password = trim($password);
   
   if( $user_id < 1 ){ return; }
 
    $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others
     $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
     $wpu = $wpdb->get_row("SELECT * FROM $wpu_db_utab WHERE ID = '".$user_id."'");
 if(!empty($wpu)){
   $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_login, $is_phpbb_admin);
   
	 if ( $changed !== false ){ 
      $hash = $changed;
    }
	 	 
	 // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }
 
  if( strpos($hash,'$argon2i') !== false ){
  $check = password_verify($password, $hash);
  $HArgon2i = true;
 }
 
 if ( !isset($check) OR $check !== true && !isset($HArgon2i) ){ // md5 check failed or not fired above ...
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . WPINC . '/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, true);
	}
	
    $check = $wp_hasher->CheckPassword($password, $hash); // WP check
  }

     if ($check !== true && strlen($hash) > 32 && !isset($HArgon2i)){ // Wp check failed ... check that isn't an md5 at this point before to follow or get PHP Fatal error in ... addons/bcrypt/bcrypt.php:111
       require_once( WPW3ALL_PLUGIN_DIR . 'addons/bcrypt/bcrypt.php');
       $password = htmlspecialchars($password);
       $ck = new w3_Bcrypt();
       $check = $ck->checkPassword($password, $hash);
     }
     
     if ($check === true){
     	if($wpu){
     	
     	  $phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu); 
     	  define("PHPBBCOOKIERELEASED", true); // then the session will be set on_login hook, if this filter bypassed
      } else {
           $check = false;
        }
     } 
 
	   return apply_filters( 'check_password', $check, $password, $hash, $user_id );
} else {
     	return apply_filters( 'check_password', false, $password, $hash, $user_id );
     }
}

endif;

doh
Posts: 2
Joined: Tue Jan 14, 2020 9:34 am

Re: Login fails after password change

Post by doh »

Thanks for fast response!
Modify fixed the problem.

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

Released 2.0.9

Code: Select all

== Changelog ==

= 2.0.9 =
*Release Date - 14 Gen, 2020*
* Fix: (reported bug) password check in WordPress fail, if password change done by user in phpBB profile
* Minor Fix: page-forum.php to correctly set the targetOrigin value
* Minor Fix: page-forum.php -> to have Template Forum as template option when creating blank page in WordPress, and installed WP theme let choose between different templates to create a page. The pae Forums will be available to choose, and let work fit the template with no problems on layout. See: https://www.axew3.com/w3/2019/12/phpbb-wordpress-template-integration-iframe-v4/
* Note that also the iframe overall_footer.html v4 code has been updated to fix two issues (most important: correctly reposition iframe in certain conditions)

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

P.s

about the password fix, to be clear, still the code isn't perfect, but normally will work.
When will not work?
When an hash will present chars sequence like this into string:
$2y$10$KVxgz$argon2i.sYBz2ffHPU..6ISD2.KcA6gIseKv4cKe...
due to this:
if( strpos($hash,'$argon2i') !== false ){
the sequence
$argon2i
could be present into an hash as part of it, and strpos used like this, search for this chars sequence, despite it is at BEGIN of the string OR NOT
$argon2i$v=19$m=1024,t=2,p=2$em4yaWRMWmdjRzFkUkVXaQ$TjPDZZt2peE+5uLuYscob7CA2ZgDFRYKJQs0Z80f7XM
we suppose can be very rare but can happen that an hash present sequence like the
$argon2i as part of it and NOT at the start. 1 into 1 million? Do not know, in this case the hash recognition will fail.
I only know it need to be resolved just: checking that the string is at begin of the string (easy!) or using native php function, we'll see

User avatar
axew3
w3all User
w3all User
Posts: 1777
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Login fails after password change

Post by axew3 »

So, i after check all things about, and i see all goes fine, until a password do not contain a character (for example) like "
"^K@rMtm5Pt%&""""\k5YYaDPO8xVl(Q

please update to

Code: Select all

== Changelog ==

= 2.1.0 =
*Release Date - 14 Gen, 2020*
* Fix: passwords hashing and password check flow, to be compatible between new phpBB3 3.3.0 and previsous 3.2 versions
* Fix: password containing special chars like " or may not allowed in WP like \ to be recognized and hashed correctly
* Add: phpBB 3.3.0 PASSWORD_ARGON2I and PASSWORD_ARGON2ID support
* Minor fixes
just released!

Post Reply