User's password encryption

4 posts by 2 authors in: Forums > CMS Builder
Last Post: July 12, 2013   (RSS)

By incube - July 9, 2013

Is it normal that the admin password is not encrypted in the cms_account BD'S but the other one created after the installation are all encrypted with sha1 ???

By gregThomas - July 9, 2013

Hi incube,

Thanks for bringing this to our attention. We will ensure that in the next release of CMS Builder the admin password is automatically encrypted as the CMS is installed.

For now there are several ways to encrypt the admins password after an install of CMS Builder:

  • A user enters an invalid password  while logging into the CMS.
  • The user clicks "Save" on the "My Account" menu.
  • An admin saves or updates their account record.
  • Website Membership Plugin: A user entered an invalid password into the login form. 

Let me know if you have any questions.

Cheers

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gregThomas - July 12, 2013

Here is a quick update on the bug.

We've integrated a patch into our latest build of CMS Builder, so the next release will contain the fix. If you would like to patch the bug on your own version of CMS Builder, you can do so by opening cmsAdmin/lib/admin_functions.php, then update line 242 to this:

                          username         = '".mysql_escape( $_REQUEST['adminUsername'] )."', password = '".$passwordTextOrHash."',

The original line looks like this:

                          username         = '".mysql_escape( $_REQUEST['adminUsername'] )."', password = '".mysql_escape($_REQUEST['adminPassword2'])."',

This will ensure that the encrypted password is saved to the database if encryption is being used when the CMS is being installed.

Let me know if you have any questions.

Thanks!

Greg

Greg Thomas







PHP Programmer - interactivetools.com