PHP Account Creation

Discussions About MOSS (Myst Online Server Software)

Moderators: a'moaca', rarified

a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

branan wrote:But at this point in the connection DH has been completed, so it's unnecessary and redundant. It might be a normal thing in some systems, but it's "weird" in the overall architecture of MOUL's network code. Beyond that, It's SHA-0 which no one should be using for anything ever.
I agree about the SHA-0 part, but..... you can disable the connection encryption. I don't think an extra layer of protection is a bad thing.
branan wrote:As for other things: I've verified in Cyan's client code that the initial hash is always SHA-1, regardless of normal or special.
If that were so, nobody would be able to log in with "normal" email addresses after using compute_auth_hash. It's tested, it works. Except for whatever verboten character JW used. The use of SHA is even in libPlasma.
branan wrote:The username is part of the hash for email usernames, and not part of it for other special usernames as you said. (that's another one of those special/weird cyan netcode moments).
Things develop by accretion, you know. Now, me, I would have called putting nul in place of the last character of the address and password the weird part.

- a'moaca'
User avatar
branan
Member
Posts: 84
Joined: Wed Apr 06, 2011 11:35 pm

Re: PHP Account Creation

Post by branan »

a'moaca' wrote:
branan wrote:As for other things: I've verified in Cyan's client code that the initial hash is always SHA-1, regardless of normal or special.
If that were so, nobody would be able to log in with "normal" email addresses after using compute_auth_hash. It's tested, it works. Except for whatever verboten character JW used. The use of SHA is even in libPlasma.
OK, you're right. I checked again, and I misread the code the first time :oops: . In my defense, all the hashing code is hand-rolled, instead of using an existing library (like OpenSSL)
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

branan: I'm sorry, but check again. :lol: It's using OpenSSL SHA and SHA1. There are just lots of wrappers.

JW: I have not found any special treatment of characters in the client. I'm afraid I must suspect your password has something like ' or " or something else in it that has not been quoted properly by the PHP script. This needs more debugging, but so long as your characters are all printable ASCII as you put it, I don't think it's the client or compute_auth_hash.

I need to get back to my paying job now for a while.

- a'moaca'
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt »

A semicolon was the offender.
Perfect speed is being there.
a'moaca'
Member
Posts: 163
Joined: Sat Dec 13, 2008 11:22 pm

Re: PHP Account Creation

Post by a'moaca' »

So does this script need some work and testing to quote everything correctly?

- a'moaca'
User avatar
Mac_Fife
Member
Posts: 1239
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife »

Was there a conclusion here? What I'd really like to know is whether MOSS (and the client) have any expectations about what characters should not be used in a password? It sounds like any printable character ought to be OK with a few exceptions that might need to be escaped in the PHP script to be handled properly.
Mac_Fife
OpenUru.org wiki wrangler
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: PHP Account Creation

Post by JWPlatt »

Mac suggested to me that Merc was cleaning/stripping some characters from the pw. So it removed the semicolon in my pw, but I was still typing it. If I had not tuped it, it probably would have worked.
Perfect speed is being there.
User avatar
Mac_Fife
Member
Posts: 1239
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: PHP Account Creation

Post by Mac_Fife »

I think I was "misremembering" MercAngel's code. Looking back at what was posted at the top of this thread, that cleaning was only on the username and not the password. There's nothing in PHP or the HTML form handling that'd cause a semicolon to be dropped and I've established that a semicolon will survive right up until the hash is evaluated. Then, once the credentials are hashed it's largely irrelevant what symbols were used. So maybe it's the user input handling at login that's discarding some characters and causing the hashes to mismatch?
Mac_Fife
OpenUru.org wiki wrangler
Post Reply

Return to “MOSS”