PhotoPost Community - View Single Post

MissMint · August 28th, 2008, 07:30 AM

Nope, I did it to a new installation that I installed just to test this. Once I have perfected the import process, I will just either re-run it on the existing gallery, or simply transfer the appropriate database tables from this installation to my in-progress actual gallery.

However, looking closer at the coppermine.php code, I discovered the issue.

The line
$password = md5($line['user_password']);

Seeks to "encrypt" the User's password (as stored in coppermine - queried as $line['user_password']) as an md5 hash (which I assume is how Photopost confirms passwords).

However, the passwords in Coppermine's database (at least in the 1.42) is already in hash form, so the importer was taking a hash of the hash. This suggests to me that perhaps at some point in the past (when this importer was created), coppermine stored raw passwords (which would be pretty shoddy security, but I can't see a reason the importer would need to hash the password otherwise), but in any event, the md5 should be removed for the current versions of coppermine and photopost.

I removed the "md5" function from the coppermine.php importer and re-ran action=import_users, and it worked perfectly.

I'll post back if I find any other issues that can be improved for the lastest coppermine, but so far the other imports seem to have worked.

August 28th, 2008, 07:30 AM	#30 (permalink)
MissMint Junior Member Verified Customer Join Date: Jun 2008 Posts: 17	Nope, I did it to a new installation that I installed just to test this. Once I have perfected the import process, I will just either re-run it on the existing gallery, or simply transfer the appropriate database tables from this installation to my in-progress actual gallery. However, looking closer at the coppermine.php code, I discovered the issue. The line $password = md5($line['user_password']); Seeks to "encrypt" the User's password (as stored in coppermine - queried as $line['user_password']) as an md5 hash (which I assume is how Photopost confirms passwords). However, the passwords in Coppermine's database (at least in the 1.42) is already in hash form, so the importer was taking a hash of the hash. This suggests to me that perhaps at some point in the past (when this importer was created), coppermine stored raw passwords (which would be pretty shoddy security, but I can't see a reason the importer would need to hash the password otherwise), but in any event, the md5 should be removed for the current versions of coppermine and photopost. I removed the "md5" function from the coppermine.php importer and re-ran action=import_users, and it worked perfectly. I'll post back if I find any other issues that can be improved for the lastest coppermine, but so far the other imports seem to have worked.