I need this part of the code changed:
/** * Check if a username+password pair is a valid login. */ function authenticate( $username, $password ) { $dbr =& $this->getAuthPressDB();
$res = $dbr->selectRow($this->getAuthPressUserTableName(), "password", "name=".$dbr->addQuotes($username), "AuthPress::authenticate" );
if( $res && ( $res->passwd == MD5( $password ))) { return true; } else { return false; }
I don't believe that you have enough information.
First, the reason that password authentication uses hashing is to keep from storing passwords in the clear. Instead various cryptographic hashes are used to hide the actual password. MD5 is not the only hash algorithm. SHA-1 used to be popular but early in 2005 a Chinese academic paper showed that it was not as secure as once believed. PHP and MySql also have functions intended for password encryption. So first you need to know what hash algorithm invisionboard is using.
Second, the problem with JUST hashing the password is that a given password will produce the same hash value everytime. This allows an attack in which various passwords are hashed and compared to the hash values in the database. The solution to this is to add another variable which is independent of the password. This is what a salt is. It is typically a random value which is generated when the user/password combination is registered. The hash is then generated by modifying the password with the salt in some fashion before applying the hash function. The salt is stored with the hashed password so that it can be used when the password needs to be authenticated again. Often the salt is also stored in a way which obfuscates it's effective value. For example a longer random value might be generated and stored, and some substring is the actual salt used. So you need to understand enough about the authentication code to know what the actual salt value is, and then how it is used to modify the password.
So you need to find out three things besides how to pull the values from the DB:
1) Which cryptographic hash is being used? 2) How is the effective salt value computed from the value in the database? 3) How is the resulting effective salt value used to alter the password before it is hashed?
If the invisionboard code is open source or otherwise available to you, you can determine those three things and proceed. If not you've got a tough job.
mediawiki-l@lists.wikimedia.org