Password hashing method needs upgraded.

Description

MD5 is still used to hash passwords.

Suggest this mod is put into core so the latest algorithms are used;
http://www.oscmax.com/forums/showthread.php?t=32654

Environment

None

Steps to reproduce

None

Activity

Show:
Michael Sasek
November 6, 2016, 8:28 PM

Added missing include in password_funcs.php to use new hashing.

Michael Sasek
November 6, 2016, 8:25 PM

The above was not the issue with logins. I am committing a fix for that issue now. See issue

Michael Sasek
November 5, 2016, 10:21 PM

Thanks. Still a bit rusty. forgot to commit them as usual. Coming later today.

Giles Marshall
November 5, 2016, 8:24 PM

I think you missed adding

require DIR_WS_FUNCTIONS . 'password_hash.php';

to

/catalog/admin/includes/functions/password_funcs.php

Giles

Michael Sasek
November 5, 2016, 6:57 PM
Edited

Not your fault. I broke the admin session handling with the mysqli update. I have a partial fix that allows logins to work but there are still some session handling issues in the admin (namely on the login screen itself and also categories.php).

I broke a few other things with the mysqli update as well (installer is not quite working right - some tables were not installing for me - I also have fixed that by updating the installer to use mysqli too).

The easiest temporary fix for the admin is to revert includes/functions/database.php to the previous version in your local installation - it fixes all the session issues in the admin.

I will commit the partial fix today so you can get back into the admin panel.

Done

Assignee

MichaelS

Reporter

Scott Murphy

Severity

Major