PostNuke

Flexible Content Management System

News

MD5 crypt will break your login password

Contributed by This will be address on Sep 21, 2001 - 02:18 AM




If you use a non-DES crypt as your default crypt, PHP will use it. But PostNuke is hardcoded to use 2 char salt (aka DES salt), so you will unable to login as any users. MD5 uses 12 char salt. PHP sets a constant for the salt length, and it should be used, not hardcoded.












The fix is trivial:












in user.php, Replace:












$pass=crypt($pass,substr($dbpass,0,2));












with:












$pass=crypt($pass,substr






($dbpass,0,CRYPT_SALT_LENGTH));


















P.S. PhpNuke also suffers from this I believe.






1125