Announcement

Collapse
No announcement yet.

MD5 Hashing Insecure

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Hi there Mike:

    Quite simple actually, enable the security module in SC, it'll create several applications:

    in my case I remade the sec_users form so in the onbeforeinsert and onbeforeupdate events I added the following code

    PHP Code:
    {pswd}= hash('SHA512', {password} ); 
    The {pswd} is a hidden field which holds the password to be encripted, while de {password} field is the one the user uses to enter the new password.

    The hash function is quite straight forward as you can c.

    In your sec_login application you only have to modify the onvalidate event.

    PHP Code:

    $slogin 
    sc_sql_injection({login});
    $spswd hash('SHA512', {pswd});



    $sql "SELECT 
            priv_admin, 
            active, 
            name, 
            email 
              FROM sec_users 
              WHERE login = 
    $slogin
            AND pswd = '" 
    $spswd "'";
        
    sc_lookup(rs$sql); 
    as you can see all I'm doing is to get the pswd field of the sec_login screen and use the same algorith I used for when they create the password and then I look for the username and "encripted password" into the database if no user meets the criteria.. then the user is invalid.

    Hope this helps.

    If you have any question please do not hesitate.

    Regards

    Comment


    • #17
      Oh kafe, thanks a lot dude, i was really shocked when took the md5 hash and put it on some website and told me "password found" then showed it to me!!

      what i want to understand, if php is decrypting it anyway in process of the applications, then anybody can decrypt it the same way and see it as free-text! so this is applicable even if used the sha512 as well! problem is maybe i don't understand how this mechanism works grrrrrrrrrr

      now, i've done what you said above as quick test earlier, changed in edit_users and also in login application, i saw that password is being storred encrypted to database different hash than using md5 (same password) but the login application didn't authinicate, didn't open the project login screen... so i didn't think it will be such easy!

      just to clear things out, lets take it less than easy... when storing the password field to database it should go with encryption method, nomatter if md5 or sha512.. now we have the hash in the database, then we need to inform the login application to use the same algorithm to decrypt it in order to authenticate correctly, right!?

      in this case, if that it true, then we can't apply this to ongoing project, all passwords should be using sha512 because login app will use sha512 to decrpyt it all the time, so if it was md5 hash the one stored, it will not work!

      moreover, do you think in this case the field of the password should e increase from varchar 32 to something else? if yes, what varchar should be 512? more? is this why my problem happened? something like when decrypting it doesn't store the full hash (only 32 chars) then login app isn't able to decrypt? because varchar32 is being used by sc security when created (assuming md5) what you think?

      one last thing, in this case we have to apply all these stuff to each project we create? is there a way to save the applications modified and use them with next projects? i am really finding it stupid to go through all the changes we do for each project, including the minor changes to security appls and headers/footers templates, themes usage... how we can do something to be used later in other projects!?

      well, those are very important points, if you think we need a session will be great and better actually, only problem is the timing dude

      let me know what you think please

      Comment


      • #18
        HI there Mike:

        Well firstly, you need to understand what a HASH is... when you hash something you scramble the data to a fixed size... that means is not reversible(reason why it is used for non reversible password). in this case sha512 is 512 bits long around 64 chars. if you are wondering how a website can decript something that is supposed to be irreversible... the answer is simple, commonly they would use 2 ways:

        1.- a md5 database
        2.- they use an algorithm to generate md5's until it matches yours.

        If you verify in the code I sent you... I'm not decripting anything... I'm comparing the hashed value of the password against the database.

        Now Secondly you are right... you can't use this in an ongoing project without resetting the passwords, for that you can use several approaches (from... hey guys guess what "you all need to change your password" to... hey guys... "I took the liverty of reseting your password). this is for the inherent use of a "HASHing".

        Thirdly again you are right... you need to apply everything to your new proyects... tho... remember you can import and export the applications... meaning is not needed to recreate everything maybe just tuning it.


        Regarding the meeting... we simply need to work it out man.

        Regards

        Comment


        • #19
          oh man, that is wow, just closed a lot of open loops for me

          highly appreciated

          will be in touch dude

          thanks again

          Comment


          • #20
            kafecadm,

            I really appreciate you figuring this out. However, I'm having issues after following your instructions. I created a new user with the first php code and then replaced the event on login with the second set of code. I increased the DB field to 64 to contain the 512 hash. When I attempt to log in with the new user under SHA512, I get a 1054: Unknown column 'c2c6161a45329e01d419c10374bd89604f5ab95466f1d6cab 716927d61fdd968817285e3b95074de6257b145c5d8604c20d 4f5aec52258b5a5a8ebbb6cd3df3b' in 'where clause'. I search online for help and can only find a Stack Overflow thread mentioning the treatment of strings with a ' mark. I attempted to change the code with different combinations of ' " but with no success. From other replies on this thread, it seems like your solution works. What am I doing wrong?

            PHP Code:
            $slogin sc_sql_injection({login});
            $spswd hash('sha512',{pswd});

            $sql "SELECT
                    s.priv_admin,
                    s.active,
                    s.name,
                    s.email,
                    s.emp_id,    
                    s.comp_id,
                    e.c_member,
                    s.group_id
                      FROM sdh_sec_users s
            join emp_comp_access e on e.login = s.login and s.comp_id = e.c_member
              WHERE e.login = "
            .$slogin."
                    AND s.pswd = "
            .$spswd."";

            sc_lookup(rs$sql); 

            Comment


            • #21
              Originally posted by ancr2001 View Post
              kafecadm,

              I really appreciate you figuring this out. However, I'm having issues after following your instructions. I created a new user with the first php code and then replaced the event on login with the second set of code. I increased the DB field to 64 to contain the 512 hash. When I attempt to log in with the new user under SHA512, I get a 1054: Unknown column 'c2c6161a45329e01d419c10374bd89604f5ab95466f1d6cab 716927d61fdd968817285e3b95074de6257b145c5d8604c20d 4f5aec52258b5a5a8ebbb6cd3df3b' in 'where clause'. I search online for help and can only find a Stack Overflow thread mentioning the treatment of strings with a ' mark. I attempted to change the code with different combinations of ' " but with no success. From other replies on this thread, it seems like your solution works. What am I doing wrong?

              PHP Code:
              $slogin sc_sql_injection({login});
              $spswd hash('sha512',{pswd});

              $sql "SELECT
              s.priv_admin,
              s.active,
              s.name,
              s.email,
              s.emp_id,
              s.comp_id,
              e.c_member,
              s.group_id
              FROM sdh_sec_users s
              join emp_comp_access e on e.login = s.login and s.comp_id = e.c_member
              WHERE e.login = "
              .$slogin."
              AND s.pswd = "
              .$spswd."";

              sc_lookup(rs$sql); 

              Hello Man:

              Have you figure what your problem is?... remember that you are comparing a string so the login and the password must be enclosed in single quotes... the sc_sql_injection function encloses the login but the password is not... so change your SQL statement to:

              PHP Code:
              $slogin sc_sql_injection({login});
              $spswd hash('sha512',{pswd});

              $sql "SELECT
              s.priv_admin,
              s.active,
              s.name,
              s.email,
              s.emp_id,
              s.comp_id,
              e.c_member,
              s.group_id
              FROM sdh_sec_users s
              join emp_comp_access e on e.login = s.login and s.comp_id = e.c_member
              WHERE e.login = "
              .$slogin."
              AND s.pswd = '"
              .$spswd."'";

              sc_lookup(rs$sql); 
              regards

              Comment


              • #22
                Adding to kafe post. The reason you don't need to enclose $slogin on single quotes is due to sql_injection macro, but you are not using it on $spswd, then, you have to enclose on single quotes $spswd to be a string on the SQL
                /Giuseppe

                Professional Scriptcase Services
                Some Customers opinions

                Comment


                • #23
                  Thanks guys, all is working now!

                  Comment


                  • #24
                    If you go to the routine in the application you can change it any way you like. A tutorial is too much, you'll find loads of samples here: http://www.w3schools.com/php/func_string_sha1.asp
                    Albert Drent
                    aducom software netherlands
                    scriptcase partner, reseller, support and (turn-key) development
                    www.scriptcase.eu / www.scriptcase.nl

                    Comment


                    • #25
                      Thank you Albert, I used sha512 and everything works fine by the way, I sent you a mail few days back.

                      Comment


                      • #26
                        Hi Mike,

                        I haven't received that. Will look into my spamboxes.
                        I haven't found any messages of you in my spamdrain boxes. When did you send it? Can you send it again to a dot drent at aducom dot com?

                        b.r. Albert
                        Last edited by aducom; 07-17-2016, 05:32 AM.
                        Albert Drent
                        aducom software netherlands
                        scriptcase partner, reseller, support and (turn-key) development
                        www.scriptcase.eu / www.scriptcase.nl

                        Comment


                        • #27
                          thank you Albert, i saw your reply, maybe you want to remove your encoded email above, spammers will use it to add the method to their dictionary loool

                          Comment


                          • #28
                            They already have it. Have spamdrain on it which works perfectly fine.
                            Albert Drent
                            aducom software netherlands
                            scriptcase partner, reseller, support and (turn-key) development
                            www.scriptcase.eu / www.scriptcase.nl

                            Comment

                            Working...
                            X