? Success

User tests: Successful: Unsuccessful:

avatar nerddtvg
nerddtvg
29 Dec 2014

Authentication: Fixing issues with legacy MD5 hashes with empty salts that contain a colon (':') in the DB

I upgrade from 3.0.3 to 3.3.6 recently and found some legacy users were unable to login. These users had MD5 hashed password with empty salts. However in the DB the colon (':') was still appended to the password at the end. The hash comparison in helper.php did not take this into account and thusly denied them when trying to login.

Examples:
Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6 (no colon)
Result: Login succeeds

Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6: (with colon)
Result: Login fails

Plaintext: test
Salt: 1234
DB Hash: 16d7a4fca7442dda3ad93c9a726597e4:1234 (with colon and salt)
Result: Login succeeds

The modified code assumes that if there was a ':' found in the original has (strpos), and the salt is empty (second half of the conditional), it must have been at the end of the string. We re-add that so the hash comparison works properly.

After the change, all three of the examples listed above work indicating the original legacy users and my broken users work just fine.

avatar nerddtvg nerddtvg - open - 29 Dec 2014
avatar jissues-bot jissues-bot - change - 29 Dec 2014
Labels Added: ?
avatar brianteeman
brianteeman - comment - 29 Dec 2014

How is it possible to create a password without a salt?

Joomla 3.0.3 created passwords with a salt

Also I just checked on 3.0.3 by removing the salt in the db just leaving
the trailing colon and it was NOT possible to login

On 29 December 2014 at 13:00, Drew notifications@github.com wrote:

Authentication: Fixing issues with legacy MD5 hashes with empty salts that
contain a colon (':') in the DB

I upgrade from 3.0.3 to 3.3.6 recently and found some legacy users were
unable to login. These users had MD5 hashed password with empty salts.
However in the DB the colon (':') was still appended to the password at the
end. The hash comparison in helper.php did not take this into account and
thusly denied them when trying to login.

Examples:
Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6 (no colon)
Result: Login succeeds

Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6: (with colon)
Result: Login fails

Plaintext: test
Salt: 1234
DB Hash: 16d7a4fca7442dda3ad93c9a726597e4:1234 (with colon and salt)
Result: Login succeeds

The modified code assumes that if there was a ':' found in the original
has (strpos), and the salt is empty (second half of the conditional), it
must have been at the end of the string. We re-add that so the hash
comparison works properly.

After the change, all three of the examples listed above work indicating

the original legacy users and my broken users work just fine.

You can merge this Pull Request by running

git pull https://github.com/nerddtvg/joomla-cms staging

Or view, comment on, or merge it at:

#5551
Commit Summary

  • Authentication: Fixing issues with legacy MD5 hashes with empty salts that contain a colon (':') in the DB

File Changes

Patch Links:


Reply to this email directly or view it on GitHub
#5551.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar nerddtvg
nerddtvg - comment - 29 Dec 2014

@brianteeman: These users are very, very legacy. Some from the 1.x days. A password could be generated without the salt then. Joomla just never rewrote the hashes in the database, for some reason or another. In 3.3.6, when one of these legacy users does login, it rewrites their hashes to use the Blowfish algorithm, which makes me very happy to see. But first I need to get them logged in.

You can't just remove the salt, obviously. You have to have hashed the password without a salt as well. Take one of my examples above and try it out. The first one is the word 'test' without a salt, a straight MD5 hash of that word.

avatar brianteeman
brianteeman - comment - 29 Dec 2014

Not sure I understand how that could have ever happened but I can confirm your findings and that the PR resolves it


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5551.
avatar brianteeman brianteeman - test_item - 29 Dec 2014 - Tested successfully
avatar nerddtvg
nerddtvg - comment - 29 Dec 2014

Simply this site was a replacement from a J1.0 site. We imported users from the old site. That's how we ended up with these old hashes and logins. The only issue we had with it was Joomla didn't rewrite the hashes. Whatever caused it not to do that was resolved inside the last two years the site has been in production without an upgrade. Thusly these users' terrible hashes stuck around a while.

Thanks for confirming the change!

avatar wilsonge
wilsonge - comment - 29 Dec 2014

I've created nerddtvg#1 to your branch which adds a unit test for your passwords

avatar nerddtvg
nerddtvg - comment - 29 Dec 2014

@wilsonge Thank you, I've gone ahead and merged it.

avatar brianteeman brianteeman - change - 29 Dec 2014
Category Authentication
avatar wilsonge wilsonge - close - 29 Dec 2014
avatar wilsonge wilsonge - change - 29 Dec 2014
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2014-12-29 22:03:40
avatar wilsonge
wilsonge - comment - 29 Dec 2014

Merged - thanks!

avatar nerddtvg
nerddtvg - comment - 29 Dec 2014

Thank you!

Add a Comment

Login with GitHub to post a comment