sNews Forum

Previous sNews versions => sNews 1.5 Final => Bug Report => Topic started by: michael kennedy on February 26, 2007, 09:40:06 pm

Title: case 'changeup' glitch
Post by: michael kennedy on February 26, 2007, 09:40:06 pm
Noticed a bug in 1.5.31 where the admin is supposed to be able to change the login and password from the admin panel. Instead everytime it throws a "Passwords do not match" error, even if the passwords do match.

Here's the old code from 1.5.30

Code: [Select]
case 'changeup':
if (isset($_POST['submit_pass'])) {
    if ($_POST['pass1'] == $_POST['pass2'] && strlen($_POST['pass1']) > 3 && !empty($_POST['uname'])) {
    $uname = $_POST['uname'];
    $pass = md5($_POST['pass1']);
    $query = "UPDATE ".db('prefix')."settings SET VALUE=";
            mysql_query($query."'$uname' WHERE name='username' LIMIT 1;");
    mysql_query($query."'$pass' WHERE name='password' LIMIT 1;");
notification('','','');
echo '';
        }
else {notification(l('pass_mismatch'),'','settings/');}
}
And here is the new, "improved" code in 1.5.31

Code: [Select]
case 'changeup':
if (isset($_POST['submit_pass'])) {
$user = checkUserPass($_POST['uname']);
$pass1 = checkUserPass($_POST['pass1']);
$pass2 = checkUserPass($_POST['pass2']);
/*session fingerprint mod begin - mandatory mod only if you're not using hardcoded variant*/
$secret = checkUserPass($_POST['secret']);
/*session fingerprint mod end*/
if (!empty($user) && !empty($pass1) && !empty($pass2) && $pass1 === $pass2) {
$uname = md5($user);
$pass = md5($pass2);
$query = "UPDATE ".db('prefix')."settings SET VALUE=";
mysql_query($query."'$uname' WHERE name='username' LIMIT 1;");
mysql_query($query."'$pass' WHERE name='password' LIMIT 1;");
echo notification('','','administration/');
        }
else {echo notification(l('pass_mismatch'),'','settings/');}
}
Title: case 'changeup' glitch
Post by: michael kennedy on March 09, 2007, 09:18:32 pm
No one else has experienced this bug in 1.5.31?   :/  I've downloaded 1.5.31 again, and it's happening... again.

I also applied this SQL update here (http://www.solucija.com/forum/viewtopic.php?id=3227) so my username was md5 encrypted too, but I doubt thats related to this.

Edit:   It seems that the username/pass works if it's something simple, but anything complex like a strong username/password gets kicked back, with a password mismatch error. For example:

User: WorstSalesManGuy    
Pass: st0ckt0np0rt5

Doesn't work, but it should. Any ideas why?

Here is a md5 tool (http://www.iwebtool.com/md5) you can use for testing by inserting values into the DB if you want to.
Title: case 'changeup' glitch
Post by: codetwist on March 09, 2007, 09:32:13 pm
Couldn't this be due to password & username size limitations. Like too good ... errr ... too long password?

If You already changed these limitations in sNews code then I've no other ideas; if not then search more in forum - there were thread about this issue.
Title: case 'changeup' glitch
Post by: codetwist on March 09, 2007, 10:05:45 pm
That's no problem because before it's already checked that pass1 is equal to pass2.

Look in this one Username and Password Length (http://www.solucija.com/forum/viewtopic.php?id=3346)
Title: case 'changeup' glitch
Post by: codetwist on March 09, 2007, 10:09:18 pm
Where that post disappeared, huh, mike  :D
Title: case 'changeup' glitch
Post by: michael kennedy on March 09, 2007, 10:14:29 pm
LOL, your suggestion did the trick.  What post?  :lol:
Title: case 'changeup' glitch
Post by: digit on April 11, 2007, 09:05:34 pm
As other people have stated, it's probabily a length issue. I just reported this here (http://www.solucija.com/forum/viewtopic.php?id=4027).