1 Reply by joan

(1 replies, posted in PunBB 1.4 troubleshooting)

OK, I think I've found something.
In the new version, pages are set to charset UTF-8.
In the old version, they are set to iso-8859-1.

That means that when the form data is POSTed, if the passwords contains special chars that have a different representation in 8859-1 and UTF-8 (say character "à" or "ê"), they get converted to a different binary representation.

All the hashes in my database have been computed using the 8859-1 representation of the password strings. This means that switching to UTF-8 breaks password verification for anyone using a character with different 8859-1 and UTF-8 representation.

In punbb 1.2, most pages use <pun_char_encoding> which is dynamically replace by $lang_common['lang_encoding'] which is defined as 'iso-8859-1' in common.php.

In punbb 1.4, if I'm not mistaken, the charset is hard coded in header.php, in main.tpl and in the form themselves. I'll have to try to revert everything to 8859-1 to see if I can get the right hashes…

Shouldn't everyone doing the migration face this issue? Or maybe people don't often use special chars in passwords?

Go to forum: PunBB 1.4 troubleshooting

2 Topic by joan

(1 replies, posted in PunBB 1.4 troubleshooting)

Hello,
I'm trying to migrate from my old 1.2 install to a fresh punbb 1.4 (on localhost WAMP, first for testing).
I exported the sql from the live install and reimported it locally without issue, pointed to admin/db_update.php, launched the conversion.

The conversion goes seemingly without problem, but then I try to login with any of two accounts from the old install (admin, and personnal account) I'm constantly refused with "Incorrect username and/or password".
I've double checked the password, they work on the old install, both accounts are present in the new database with the same password hash. The salt field is NULL in all cases.

Any one has an idea of what I'm doing wrong?
I've tried both with enabling or not enabling the charset conversion but I don't think that has any impact on that.
Thanks

--
edit:
It turns out that when I do a manual SHA1 on my password, I don't get the same hash that what's stored in the db.

This means that when login in on the live site, the hash is not computed on my actual password but on something else. Maybe due to char encoding or something… (I always have some special chars like à, $, ', É, etc. in my passwords).
When I capture the POST request on login, I see the special chars in the password have been escaped with %E0, etc. I Still can't find what exactly generates the saved hashes though.

Go to forum: PunBB 1.4 troubleshooting