Camen Design Forum


(Leave this as-is, it’s a trap!)

To delete this post you must be either the original author or a designated moderator.
The content of the post will be removed but the name and date will remain.

  • The post will be removed completely from the thread, rather than blanked
  • Only posts on the last page of the thread can be removed completely (so as to not break permalinks)

RE[3]: logging in as a member to a locked forum


When you add usernames to the members file, these have to be *existing* usernames. Someone has to have created them with a password already. Normally a user is created when they post for the first time, but if you only have a locked board there is no way for them to do that so you are stuck.

Every user gets 1 file containing a cryptographic hash of their password in the users folder. If you have no users except for your admin user, there should only be a file called `c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec.txt` in there.

Lines 189 to 198 of `start.php` show you how this file is made:

        //users are stored as text files based on the hash of the given name
        $name = hash ('sha512', strtolower (NAME));
        //create the user, if new:
        //- if registrations are allowed (`FORUM_NEWBIES` is true)
        //- you can’t create new users with the HTTP_AUTH sign in
        if (FORUM_NEWBIES && !isset ($_SERVER['PHP_AUTH_USER']) && !file_exists ($user))
                file_put_contents ($user, hash ('sha512', $name.PASS)) or require FORUM_LIB.'error_permissions.php'

The filename is an sha512 hash of the username (all lowercase) and the file is filled with an sha512 hash of the hashed username and the password. As an example, if my username is `Glyn` and my password is `password` I get the following:

1. The lowercase version of `Glyn` is `glyn`.
2. The sha512 hash of `glyn` is `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576`.
3. Adding the password (`password`) to the username hash gives us `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576password`.
4. The sha512 hash of the combined string in step 3 is `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8 `.
5. Create a file `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576.txt` in the users folder, with its sole contents the hash from step 4: `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8`

You can do this manually using any sha512 website, I used now as it was the first hit I got on a search-engine. It would probably go faster if you know how to use a commandline solution like openssl.

I hope that helps!

Your friendly neighbourhood moderators: Kroc, Impressed, Martijn