[Plugin: BAW More Secure Login] Broken plugin locks out of wp admin

  • Plugin v 1.0.3
    When trying to log in:
    Warning: file_put_contents(/var/www/wordpress/hashBWALL) [function.file-put-contents]: failed to open stream: No such file or directory in /__removed__/public_html/test/wp-content/plugins/ballast-security-securing-hashing/BallastSecurityHasher.php on line 340

    Warning: Wrong parameter count for strstr() in /__removed__/public_html/test/wp-content/plugins/ballast-security-securing-hashing/BallastSecurityHasher.php on line 146

    So i can’t log back in. this was a test instalation, so no problem. i’m gonna delete it and restore the password via mysql admin.
    However, this is a very serious issue…

    https://www.ads-software.com/extend/plugins/baw-more-secure-login/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter HacKan

    (@hackan)

    Well, i was checking the code… first of all, the second error:
    143 else if($this->StartsWith($hash, ‘$BPBK$100k$’))
    144 {
    145 $saltAndhash = substr($hash, 11);
    146 $salt = strstr($saltAndhash, ‘$’, true);
    147 $hash = substr(strstr($saltAndhash, ‘$’), 1);
    148 $realHash = base64_encode($this->BSPBKDF2($password, base64_decode($salt), 100000));
    149 return ($hash == $realHash);
    150 }

    i can’t see the error here, the line is correctly formated :S

    ——–
    now the first one:

    338 function wp_check_password($password, $hash, $user_id = ”)
    339 {
    340 file_put_contents(“/var/www/wordpress/hashBWALL”, “hash = $hash\n”, FILE_APPEND);
    341 global $wp_hasher;
    341 $wp_hasher = new BallastPHPHash();

    well, clearly i dunno how is it expecting to write /var/www/wordpress/hashBWALL xD

    Thread Starter HacKan

    (@hackan)

    ok, i find out that the second error is due to my server’s php version. that function supports the third param as of php v5.3.0; my svr has… a bit older one…
    Would u consider changing that line for a more compatible one?

    might be solved this way:

    function rstrstr($haystack,$needle, $start=0)
    {
        return substr($haystack, $start,strpos($haystack, $needle));
    }

    https://www.php.net/manual/es/function.strstr.php#103577
    i was actually thinking in doing something like that xD

    Thread Starter HacKan

    (@hackan)

    yep, that definitely solve the 2nd issue ??
    for the first one, i simply commented out that line, i dunno what was that doing there, it seems to be for debugging purposes, is it?

    will u apply those changes officially? just to be sure there’s no drawback here, ’cause i know almost nothing about php

    edit: i’ve just noticed, the plugin says version 1.2, yet wordpress says 1.0.3

    here is the plugin modified: https://pastebin.com/HqxVnj3A

    reggards,
    HacKan

    lol, wrong support forums. This is a completely unrelated plugin by an unrelated author. To be honest though, he is a bit of a jerk, so I had a good laugh.

    You are looking for https://www.ads-software.com/extend/plugins/ballast-security-securing-hashing/ which I develop.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: BAW More Secure Login] Broken plugin locks out of wp admin’ is closed to new replies.

Tags