widd / kitsune-register Goto Github PK
View Code? Open in Web Editor NEWSimple registration form for Kitsune
License: MIT License
Simple registration form for Kitsune
License: MIT License
Lately I got a message from one our members stating that they were facing login issues in regards to Kitsune AS3, the issue is that the password is encrypted with a key that contains the username which would generate a different hash. So thus if you try to login, the password that is sent by the client is actually hashed without the username. This inconsistency creates the invalid password error to pop up during login. So, I decided to experiment around with a script..
<?php
$username = "Meme";
$password = "memetwo";
$hashedPassword = strtoupper(md5($password));
$staticKey = 'e4a2dbcca10a7246817a83cd';
$diffhash = getDiffHash($hashedPassword, $staticKey);
echo $diffhash . chr(10);
$fancyPassword = getLoginHash($hashedPassword, $staticKey, $username);
echo $fancyPassword . chr(10);
if (password_verify($diffhash, $fancyPassword)) {
echo "Matches\n";
} else {
echo "Not matching\n";
}
function encryptPassword($password, $md5 = true) {
if($md5 !== false) {
$password = md5($password);
}
$hash = substr($password, 16, 16) . substr($password, 0, 16);
return $hash;
}
function getLoginHash($password, $staticKey, $username) {
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= "a1ebe00441f5aecb185d0ec178ca2305Y(02.>'H}t\":E1_root";
$hash = encryptPassword($hash);
$hash = password_hash($hash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);
return $hash;
}
function getDiffHash($password, $staticKey) {
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= "a1ebe00441f5aecb185d0ec178ca2305Y(02.>'H}t\":E1_root";
$hash = encryptPassword($hash);
return $hash;
}
?>
You will notice that the hash supplied with the username is different than the one supplied without the username. So thus if you try to match the encrypted password (the one with the username) with the hash sent by the client, it will give you an incorrect password error. But if you do it without the username, you will get authorized. Do please note that even though this script does say it matches, take a look at the hashes supplied.
lynx@lynx-HP-Notebook:~$ cd Documents
lynx@lynx-HP-Notebook:~/Documents$ php Test.php
0de148e5e9dddc381ec7217c06a661c0
$2y$12$AxIm/u1mFvODfcM4QGr.yeUIutUl3Jz2xkrcsupgoE.qZE6U103ry
Matches
lynx@lynx-HP-Notebook:~/Documents$ php Test.php
03aa47b7af7a140dc74168137e238aa9
$2y$12$iPtEpSiVjbZ5Rz/W.DpbYugylwgxXa0f6gJcT0/AJoMrMlJjv2Iha
Matches
lynx@lynx-HP-Notebook:~/Documents$
To fix this issue, in the register.php find the line:
$staticKey = 'e4a2dbcca10a7246817a83cd' . $username;
and replace it with:
$staticKey = 'e4a2dbcca10a7246817a83cd';
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.