4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: V@no on March 29, 2009, 09:49:56 PM

Title: [1.7 - 1.7.6] 4images accepts a blank new password when changing password
Post by: V@no on March 29, 2009, 09:49:56 PM

This bug allows members set blank passwords at "change password" form (credit goes to komsho24 (http://www.4homepages.de/forum/index.php?action=profile;u=19732) and Nicky (http://www.4homepages.de/forum/index.php?action=profile;u=3) for reporting this bug)

In members.php find:
  $user_password = md5(trim($HTTP_POST_VARS['user_password']));
  $user_password2 = md5(trim($HTTP_POST_VARS['user_password2']));

Replace it with:
  $user_password = trim($HTTP_POST_VARS['user_password']);
  $user_password2 = trim($HTTP_POST_VARS['user_password2']);

Then find a few lines below:
            SET ".get_user_table_field("", "user_password")." = '$user_password'

Replace it with:
            SET ".get_user_table_field("", "user_password")." = '".md5($user_password)."'

Title: Re: [1.7 - 1.7.6] 4images accepts a blank new password when changing password
Post by: mawenzi on March 30, 2009, 04:34:04 PM

... thanks V@no for this fix ... and also thanks to Nicky for the bug reporting ...

Title: Re: [1.7 - 1.7.6] 4images accepts a blank new password when changing password
Post by: Nicky on March 30, 2009, 06:09:55 PM

hey lol guys...

no it wasnt me :)
user komsho24 (http://www.4homepages.de/forum/index.php?action=profile;u=19732) that he can set blank password
http://www.4homepages.de/forum/index.php?topic=21872.msg134243#msg134243

i only found out if you set blank password and logout yourself from the gallery that you can not login anymore with "blank" password field.

V@no,

thank you for the fix fix :) !