Erroneous password migration md5 to bcrypt

Found a bug? Tell us!!
Post Reply
Posts: 1
Joined: Sun Mar 08, 2020 12:58 pm

Erroneous password migration md5 to bcrypt

Post by cuddly_tiger » Sun Mar 08, 2020 1:21 pm

Recently, I upgraded a fairly old version (1.4.1) of Serendipity to the latest version (2.3.2).
Congratulations to the S9Y team, as the upgrade worked almost flawlessly. Quite a nice job for two versions that are ten years apart!
However, I did encounter an issue with the automatic password migration.
I found that serendipity automatically converts the old (md5) passwords - but sets an incorrect hash type!
My assumption is that the original conversion routine was written for version 1.5 when MD5 hashes were converted to salted SHA1 hashes (hashtype=1).
When bcrypted passwords were introduced with version 2.2.1 the conversion routing was modified to convert the SHA1 hashes (hashtype=1) to bcrypt hashes (hashtype=2).
However, the older code - which takes care of converting the even older MD5 hashes - wasn't changed. As a result it converts the passwords (with the 'serendipity_hash' function) to the latest version (bcrypt) but still sets the hashtype to '1'.
This renders the password unusable as serendipity tries to authenticate using the SHA1 hashed password against the stored bcrypt hashed password.

As a fix, I suggest the following change to the 'include/' file:
< hashtype = 2
> hashtype = 1

With this change, serendipity will set the right hash type (2) when migrating an MD5 hashed password to the currently used hash version.

User avatar
Posts: 2388
Joined: Tue Sep 09, 2008 10:04 pm

Re: Erroneous password migration md5 to bcrypt

Post by onli » Sun Mar 15, 2020 9:54 am

Oh! That is quite possible. could you send in the fix via github as pull request,, or is it already fixed in master by now?

User avatar
Posts: 148
Joined: Mon Feb 16, 2015 1:20 am

Re: Erroneous password migration md5 to bcrypt

Post by erAck » Sun Apr 26, 2020 7:41 pm

Post Reply