(12 replies, posted in Discussions)

No worries. smile

I haven't started attempting this yet, but I will keep this topic updated as I make progress... any chance I get.


(12 replies, posted in Discussions)

Faybelline wrote:

Is whirlpool better than sha1?

It's a lot more secure.

PanBB.Ru wrote:

Today WHIRLPOOL resistant to all types of cryptanalysis.
Over 8 years of Whirlpool has been no recorded attacks on it.


(12 replies, posted in Discussions)

Apologies, I have not been around these parts for a long time (busy busy). Figured I would check in, has anyone else made any headway on this. I lost all code changes I had made (should've made a repo for the changes on GitHub my bad!) so I will probably start again with it from scratch as it is still something I am very much interested in.


(12 replies, posted in Discussions)

It's surprising how little to no software uses it in terms of internet forums and blogs where there are sensitive data such as passwords. I guess they deem it unnecessary but in my opinion using the best security should always be top priority to protect yourself and your site's users.

I'll have a read of the code at some point when I have time, and play with it to see if I can get it to work. I'll keep this thread updated and any help in getting this to work would be appreciated.

I know how to use the php 'hash' function

string hash ( string $algo , string $data [, bool $raw_output = false ] )

But it's implementing it into the PunBB code so that it uses all Whirlpool for its password hashing rather than sha1.

EDIT: I've managed to convert the install script, and the login script to now work with Whirlpool instead smile - I just need to do the register.php file now.


(12 replies, posted in Discussions)

As I said I would be using Whirlpool instead of sha1.


(12 replies, posted in Discussions)

I never said it was just because of security. Also just because you haven't had any problems with people hacking into PunBB forums doesn't mean you never will with a weak hash like that.

Anyway it isn't just because of security that I want to do it for, it's also because I wan to integrate PunBB and customize it for my own needs for a game server that uses MySQL as its information such as users and stats. I want to integrate PunBB into this system by being the forums for the gameserver as well as the user control panel for users to edit their in game characters from.

Basically PunBB would be the master account through the website and then players will be able to link their in-game accounts/create new in-game accounts thorough their master forum account.

Thanks for pointing those functions out, however changing those functions would break the login.php, reister.php, and install.php scripts where password hashing is involved?


// Login
if (isset($_POST['form_sent']) && empty($action))
    $form_username = forum_trim($_POST['req_username']);
    $form_password = forum_trim($_POST['req_password']);
    $save_pass = isset($_POST['save_pass']);

    ($hook = get_hook('li_login_form_submitted')) ? eval($hook) : null;

    // Get user info matching login attempt
    $query = array(
        'SELECT'    => 'u.id, u.group_id, u.password, u.salt',
        'FROM'        => 'users AS u'

    if (in_array($db_type, array('mysql', 'mysqli', 'mysql_innodb', 'mysqli_innodb')))
        $query['WHERE'] = 'username=\''.$forum_db->escape($form_username).'\'';
        $query['WHERE'] = 'LOWER(username)=LOWER(\''.$forum_db->escape($form_username).'\')';

    ($hook = get_hook('li_login_qr_get_login_data')) ? eval($hook) : null;
    $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
    list($user_id, $group_id, $db_password_hash, $salt) = $forum_db->fetch_row($result);

    $authorized = false;
    if (!empty($db_password_hash))
        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $form_password_hash = forum_hash($form_password, $salt);

        if ($sha1_in_db && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if ((!$sha1_in_db && $db_password_hash == md5($form_password)) || ($sha1_in_db && $db_password_hash == sha1($form_password)))
            $authorized = true;

            $salt = random_key(12);
            $form_password_hash = forum_hash($form_password, $salt);

            // There's an old MD5 hash or an unsalted SHA1 hash in the database, so we replace it
            // with a randomly generated salt and a new, salted SHA1 hash
            $query = array(
                'UPDATE'    => 'users',
                'SET'        => 'password=\''.$form_password_hash.'\', salt=\''.$forum_db->escape($salt).'\'',
                'WHERE'        => 'id='.$user_id

            ($hook = get_hook('li_login_qr_update_user_hash')) ? eval($hook) : null;
            $forum_db->query_build($query) or error(__FILE__, __LINE__);

    ($hook = get_hook('li_login_pre_auth_message')) ? eval($hook) : null;

    if (!$authorized)
        $errors[] = sprintf($lang_login['Wrong user/pass']);

If I changed the hashing functions to use Whirlpool it would break the above code completely would it not? I guess with the forum_hash function I would just change the sha1 function to use PHP's hash function. But because the above code checks for md5/sha1. In my situation would it be easier to re-write the login/register/install functions that handle passwords or is there an easier way around this?



(12 replies, posted in Discussions)

So I was thinking of changing the password hashing system used in PunBB to using the PHP hash function and hashing passwords in Whirlpool instead of using sha1 which is horribly outdated and very easy to crack these days. I however only have a very basic understanding of PHP so was wondering if anyone here would be able to point me in the right direction.

I know that the files that would need changing are the login.php, register.php and the install.php as they all handle passwords and password hashing, however I feel if I go tinkering without some guidance I'll end up breaking something horribly.

Thanks for any helpful replies.


(26 replies, posted in PunBB 1.4 additions)

edgarsedov wrote:

is anybody here alive? Have someone tested this good extension on punBB 1.4.4?

I can confirm that it seems to work fine on PunBB 1.4.4 without any errors. I tested on my localhost machine using XAMPP for Windows 5.5.30. smile

EDIT: As as side note I also used the latest version of this extension which is 0.0.4


(14 replies, posted in Discussions)

Glad I helped smile


(14 replies, posted in Discussions)

fantasma wrote:

Keytcaptcha does not seem to be sufficient on my forum, today new 1 bot registration, but sure better than old official plugin total useless

It's more than likely a human spammer then. I've yet to get a BOT registering through that captcha.


(14 replies, posted in Discussions)

Keycaptcha do one for PunBB. Ever since I started using Keycaptcha I have NEVER had a spam registration with its protection in place.


There's the link, take a look.