Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: case 'changeup' glitch  (Read 4049 times)

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
case 'changeup' glitch
« on: February 26, 2007, 09:40:06 PM »

Noticed a bug in 1.5.31 where the admin is supposed to be able to change the login and password from the admin panel. Instead everytime it throws a "Passwords do not match" error, even if the passwords do match.

Here's the old code from 1.5.30

Code: [Select]
case 'changeup':
if (isset($_POST['submit_pass'])) {
    if ($_POST['pass1'] == $_POST['pass2'] && strlen($_POST['pass1']) > 3 && !empty($_POST['uname'])) {
    $uname = $_POST['uname'];
    $pass = md5($_POST['pass1']);
    $query = "UPDATE ".db('prefix')."settings SET VALUE=";
            mysql_query($query."'$uname' WHERE name='username' LIMIT 1;");
    mysql_query($query."'$pass' WHERE name='password' LIMIT 1;");
notification('','','');
echo '';
        }
else {notification(l('pass_mismatch'),'','settings/');}
}
And here is the new, "improved" code in 1.5.31

Code: [Select]
case 'changeup':
if (isset($_POST['submit_pass'])) {
$user = checkUserPass($_POST['uname']);
$pass1 = checkUserPass($_POST['pass1']);
$pass2 = checkUserPass($_POST['pass2']);
/*session fingerprint mod begin - mandatory mod only if you're not using hardcoded variant*/
$secret = checkUserPass($_POST['secret']);
/*session fingerprint mod end*/
if (!empty($user) && !empty($pass1) && !empty($pass2) && $pass1 === $pass2) {
$uname = md5($user);
$pass = md5($pass2);
$query = "UPDATE ".db('prefix')."settings SET VALUE=";
mysql_query($query."'$uname' WHERE name='username' LIMIT 1;");
mysql_query($query."'$pass' WHERE name='password' LIMIT 1;");
echo notification('','','administration/');
        }
else {echo notification(l('pass_mismatch'),'','settings/');}
}

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
case 'changeup' glitch
« Reply #1 on: March 09, 2007, 09:18:32 PM »

No one else has experienced this bug in 1.5.31?   :/  I've downloaded 1.5.31 again, and it's happening... again.

I also applied this SQL update here so my username was md5 encrypted too, but I doubt thats related to this.

Edit:   It seems that the username/pass works if it's something simple, but anything complex like a strong username/password gets kicked back, with a password mismatch error. For example:

User: WorstSalesManGuy    
Pass: st0ckt0np0rt5

Doesn't work, but it should. Any ideas why?

Here is a md5 tool you can use for testing by inserting values into the DB if you want to.

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
case 'changeup' glitch
« Reply #2 on: March 09, 2007, 09:32:13 PM »

Couldn't this be due to password & username size limitations. Like too good ... errr ... too long password?

If You already changed these limitations in sNews code then I've no other ideas; if not then search more in forum - there were thread about this issue.
Logged

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
case 'changeup' glitch
« Reply #3 on: March 09, 2007, 10:05:45 PM »

That's no problem because before it's already checked that pass1 is equal to pass2.

Look in this one Username and Password Length
Logged

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
case 'changeup' glitch
« Reply #4 on: March 09, 2007, 10:09:18 PM »

Where that post disappeared, huh, mike  :D
Logged

michael kennedy

  • Full Member
  • ***
  • Karma: 3
  • Posts: 207
    • SpektreDesign
case 'changeup' glitch
« Reply #5 on: March 09, 2007, 10:14:29 PM »

LOL, your suggestion did the trick.  What post?  :lol:

digit

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
case 'changeup' glitch
« Reply #6 on: April 11, 2007, 09:05:34 PM »

As other people have stated, it's probabily a length issue. I just reported this here.
Logged