[UberCMS] Password Reset

[JayC]

This one really has me stumped. It updates the password, WITH THE CORRECT MD5 Hash, and I know for sure its 100% correct because I have encrypted it and decrypted it online at multiple sources. The problem is if I change the password, the user can't log in.

<?php
                if(isset($_POST['TheUser'])){ //Posts The Form
                     $newPass = rand(58946, 98946); //Generates a Random Number
                     $hashedPass = md5($newPass); //Encrypts the numbers
                    $theUser = filter($_POST['TheUser']); //Grabs the posted text
                    $findUser = mysql_query("SELECT * FROM users WHERE username = '".$theUser."'"); // Tries to find the user
                   $findUser2 = mysql_fetch_assoc($findUser); //Fetch Assoc if possible
                    if(mysql_num_rows($findUser) == 0){ //Double check that user exists
                    echo "Invalid User"; //throw back user does not exist
                    }elseif($findUser2['rank'] > 7){//Make sure that user is not staff
                    echo "For Security, You can not reset this users password via housekeeping"; //Let them know they have to do it manually
                    }else{ //Otherwise
                     mysql_query("UPDATE users SET password = '".$hashedPass."' WHERE username='".$findUser2['username']."' LIMIT 1"); //Set Pass
                      echo "".$findUser2['username']."s pass has been changed to ".$newPass.""; //Echo out the new password of the user to give to them
                  }
                }
                    ?>

 

[Brad]

This one really has me stumped. It updates the password, WITH THE CORRECT MD5 Hash, and I know for sure its 100% correct because I have encrypted it and decrypted it online at multiple sources. The problem is if I change the password, the user can't log in.

<?php
                if(isset($_POST['TheUser'])){ //Posts The Form
                     $newPass = rand(58946, 98946); //Generates a Random Number
                     $hashedPass = md5($newPass); //Encrypts the numbers
                    $theUser = filter($_POST['TheUser']); //Grabs the posted text
                    $findUser = mysql_query("SELECT * FROM users WHERE username = '".$theUser."'"); // Tries to find the user
                   $findUser2 = mysql_fetch_assoc($findUser); //Fetch Assoc if possible
                    if(mysql_num_rows($findUser) == 0){ //Double check that user exists
                    echo "Invalid User"; //throw back user does not exist
                    }elseif($findUser2['rank'] > 7){//Make sure that user is not staff
                    echo "For Security, You can not reset this users password via housekeeping"; //Let them know they have to do it manually
                    }else{ //Otherwise
                     mysql_query("UPDATE users SET password = '".$hashedPass."' WHERE username='".$findUser2['username']."' LIMIT 1"); //Set Pass
                      echo "".$findUser2['username']."s pass has been changed to ".$newPass.""; //Echo out the new password of the user to give to them
                  }
                }
                    ?>

Doesn't Uber use sha1? Not entirely sure, you maybe have moved it to md5 but just asking just incase lol.

 

[JayC]

Doesn't Uber use sha1? Not entirely sure, you maybe have moved it to md5 but just asking just incase lol.

nah it uses MD5 Let me double check all the code !
 
Hey, Thank you very much for having me look into it more, I traced it and found the method it was actually calling to. Look how weird this is!!
sha1(md5($password) . strtolower($username));

 

[Brad]

nah it uses MD5 Let me double check all the code !
 
Hey, Thank you very much for having me look into it more, I traced it and found the method it was actually calling to. Look how weird this is!!
sha1(md5($password) . strtolower($username));

No problem, guessing you fixed the problem? If so I'll close thread.

 

[JayC]

No problem, guessing you fixed the problem? If so I'll close thread.

I did , thank ya sir.