Bridge Manager emergency recovery Bridge Manager emergency recovery
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Bridge Manager emergency recovery

Started by Nibbler, July 01, 2005, 03:54:53 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nibbler

Isn't letting me disable the bridge, I suspect it does not support md5 passwords.

Joachim Müller

It doesn't, must have been forgotten when MD5-encryption was introduced. Volunteers?

donnoman

I've painted myself in that corner once or twice, I had to use phpmyadmin and reset the config var.

What exactly do you want to happen to what files? I'll check into it.

Nibbler

This bit:

$temp_user_table = $CONFIG['TABLE_PREFIX'].'users';
        $results = cpg_db_query("SELECT user_id, user_name, user_password FROM $temp_user_table WHERE user_name = '" . addslashes($_POST['username']) . "' AND BINARY user_password = '" . addslashes($_POST['password']) . "' AND user_active = 'YES' AND user_group = '1'");
       


Needs to be modified to check if md5 passwords are enabled and hash the entered password if so.

donnoman

There also appears to be a problem if you are missing some of the bridged tables.

You can't get bridgemanager to run at all. It dies with:


While executing query "SELECT MAX(group_quota) as disk_max, MIN(group_quota) as disk_min, MAX(can_rate_pictures) as can_rate_pictures, MAX(can_send_ecards) as can_send_ecards, MAX(upload_form_config) as ufc_max, MIN(upload_form_config) as ufc_min, MAX(custom_user_upload) as custom_user_upload, MAX(num_file_upload) as num_file_upload, MAX(num_URI_upload) as num_URI_upload, MAX(can_post_comments) as can_post_comments, MAX(can_upload_pictures) as can_upload_pictures, MAX(can_create_albums) as can_create_albums, MAX(has_admin_access) as has_admin_access, MIN(pub_upl_need_approval) as pub_upl_need_approval, MIN( priv_upl_need_approval) as  priv_upl_need_approval FROM cpg14x_usergroups WHERE group_id in (1)" on 0

mySQL error: Table 'smf.cpg14x_usergroups' doesn't exist


I believe it's because calling pageheader starts incuding all of the coppermine stuff, I'm thinking we need to separate bridgemanager a little bit more from the main of coppermine.

Joachim Müller

No problem with that: as the bridge manager is only visible for admin only I could well live with it only using the simple UI of the installer and update.

donnoman

To fix the missing tables problem from a botched bridge setup I set it to always run bridge manager un-bridged by editing this in init.inc.php.


// Set UDB_INTEGRATION if enabled in admin
if ($CONFIG['bridge_enable'] == 1 && !defined('BRIDGEMGR_PHP')) {
   $BRIDGE = cpg_get_bridge_db_values();
} else {


To make bridgemanager-recovery honor encrypted passwords I added/modified the following in bridgemanager.php:

// Check if encrypted passwords are enabled
       if ($CONFIG['enable_encrypted_passwords']) {
               $encpassword = md5(addslashes($_POST['password']));
       } else {
               $encpassword = addslashes($_POST['password']);
       }

       $results = cpg_db_query("SELECT user_id, user_name, user_password FROM $temp_user_table WHERE user_name = '" . addslashes($_POST['username']) . "' AND BINARY user_password = '" . $encpassword . "' AND user_active = 'YES' AND user_group = '1'");
       if (mysql_num_rows($results)) {
           $retrieved_data = mysql_fetch_array($results);
       }
       if ($retrieved_data['user_name'] == $_POST['username'] && $retrieved_data['user_password'] == $encpassword && $retrieved_data['user_name'] != '' ) {



Fixes committed, can someone verify it works as expected?

Nibbler