Installer destroys admin PW
- Status
- Open
- Subject
- Installer destroys admin PW
- Version
- 18.x
- Category
- Bug
- Feature
- Installer (profiles, upgrades and server-related issues)
- Resolution status
- New
- Submitted by
- hman
- Lastmod by
- hman
- Rating
- Description
When upgrading my trusty old installation of 12.14, which seemingly went through without errors, after it was completed, there is a mentioning in the installation wizard that sometimes the ability to log-in as admin might be lost.
This has struck here. Unfortunately, once you dismiss this information and proceed to log-in (with or without locking the installer) you'll never see this text (and the help offered therein) again...
After finishing the installer, I could not log-in as admin to unlock the site. And, as I wrote, the info is never shown again...
So I went to the database and I think I found the culprit.
In the table users_users I see that the record containing the admin carries a new password. According to my backup, the PW should be starting with "$1$9", but it is "$2y$10$".
According to PHP documentation the first characters before the dollar signs merely indicate the cryptographic method used for hashing. And it should be normal that from time to time PW will be re-encrypted by new methods like blowfish, or key lenghts. PHP docs even recommend automating this.
But due to the one-way nature of hashing it is impossible to re-encrypt passwords without help from the user, here the admin. The PW has to be entered fresh and then encrypted with the new method. It's impossible to decipher and re-crypt.
So if in the short time-span between the backup I drew and the run of the installer, the PW changes in the DB and changes cryptographic method, it must have been tampered with!
One more nail in Tikis coffin for me.
- Importance
- 10 high
- Easy to solve?
- 5
- Priority
- 50
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 7905
- Created
- Sunday 31 October, 2021 23:59:24 GMT-0000
by hman - LastModif
- Tuesday 02 November, 2021 11:21:51 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Trackers, Tracker list inline editing; When Tracker list inline editing is enable you can't print the tracker list fields values (all field are blank)
- Trackers, Modal create item; Saving a an item from a modal on Tiki25 display a leave page warning
- Trackers: Need to be able sort as numerical instead of text
- Tiki community HomePage show a "Data too long" error
- Threaded comment listing sort order
;){kind=link}
;){kind=link}