- Affected version
- 2.2.9
The string unsed in phpBB for generating the password hash is not the raw user input.
Buried somewhat deep in phpBB input handling:
The preprocessing performed by this method causes validation to fail in XenForo as XenForo calculates the hash on raw user input.
This example hash for password
Adding
to
Buried somewhat deep in phpBB input handling:
phpbb\request\type_cast_helper::set_var
PHP:
public function set_var(&$result, $var, $type, $multibyte = false, $trim = true)
{
settype($var, $type);
$result = $var;
if ($type == 'string')
{
$result = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result);
if ($trim)
{
$result = trim($result);
}
$result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8');
if ($multibyte)
{
$result = utf8_normalize_nfc($result);
}
if (!empty($result))
{
// Make sure multibyte characters are wellformed
if ($multibyte)
{
if (!preg_match('/^./u', $result))
{
$result = '';
}
}
else
{
// no multibyte, allow only ASCII (0-127)
$result = preg_replace('/[\x80-\xFF]/', '?', $result);
}
}
$result = ($this->strip) ? stripslashes($result) : $result;
}
}The preprocessing performed by this method causes validation to fail in XenForo as XenForo calculates the hash on raw user input.
$2y$10$Ij7U22PnYRa7MHgB99AjA.M2LncBiMc2CeqUSxDbZAcd46o31bXq2This example hash for password
TestäöüÄÖÜ!& taken from phpBB fails validation in XenForo.Adding
PHP:
$password = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $password);
$password = htmlspecialchars($password, ENT_COMPAT, 'UTF-8');
if (!\Normalizer::isNormalized($password))
{
$password = \Normalizer::normalize($password);
}XF\Authentication\PhpBb3::authenticate() before calculating the hash seems to fix this.
