[solved] new entries in staccess are not accepted

Site Admin Joined: Aug 22, 2007 Posts: 1775

I'm struggling on a strange issue with my staccess entries. I tried to add a new admin password for the HTTPAuth login. After storing the crypted PWs into the staccess i can't login with this new user. The strange thing on it, it works with all older users/pws without a hit but only the new entry will not work. All paths and file-permissions are correct. All entries are stored correctly in the database.

So i have tried to ad manually a user like: test:a1b2c3 but now way, the entry will not work.... any ideas?

It seems this issue exists since the change of the php version from 5.3.x to 5.4.x but i have no clue why it will not more work.

Edit: It seems the issue is based in the crypt() function while storing in /admin/modules/nukesentinel/ABAuthEditSave.php

php Code:

$xpassword_md5 = md5($xpassword);


$xpassword_crypt = crypt($xpassword);

http://php.net/manual/en/function.crypt.php

Quote:

salt

An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results.

I have tried to change this line to check what is happen if i'm adding a salt parameter. (this only a test, please do not add it in a running website!)

php Code:

$xpassword_crypt = crypt($xpassword, 'N$');

Now it works but the result of the crypted PW is very short. So i have it changed back. The other strange thing is that my php 5.3.x and 5.5.x local wamp installations create salts lile $1$ and my server creates salts like $6$ and the crypted PWs are also much longer (60 chars).

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

I haven't seen that, but I usually generate the password here: http://tools.dynamicdrive.com/password/

Then manually add it, and haven't had problems.

Posted: Mon Sep 22, 2014 3:36 am

Thanks but that will not help because the hashed string is to short.

After hours of reading and updating my server on php 5.5.17 i found the cause of that. Since php 5.3.7 on the most servers crypt() supports more than 1 algorithm, so it will be used the best available. In my case crypt() is using CRYPT_SHA512. But it seems the HTTPAuth module of apache2 get some trouble with new stronger algorithms.

So i have tried to build manually a random created salt before hashing with cypt() in order to get a salt like CRYPT_MD5.

php Code:

  function generateRandomString($length = 15) {


	  return substr(sha1(rand()), 0, $length);


  }


  $salt = '$1$' . generateRandomString() . '$';


  $xpassword_crypt = crypt($xpassword, $salt);

Tada! It works! But i have not a clue if is it a bug in the HTTPAuth module with the long hashes by CRYPT_BLOWFISH, CRYPT_SHA256 and CRYPT_SHA512... anyway it works again for me.