Registration storing plain text passwords?

Hi guys,

I have been having a few issues with a couple of plugins over the last few days and have finally found out a problem that is quite serious but I don't know what is causing it...

Basically I have CB 1.8 with Joomla 2.5.3 (plus the #3354patch for CB Auto Actions) and have been unable to login on the front-end of my site after testing the registration process.

I installed a SQL viewer just now and can see that after CB registration the passwords are being stored in plain text! I re-entered the same password via the admin area and click save and this stores the password in the hashed form.

It appears that there is a major security bug with the version I am using? Has anyone else found this too or using the same plugins?

Urgently need an answer to this as I'm 4 days behind on a client's website!!

Thanks,

Shorn.

Hi,

Is anyone else having issues with plain text passwords? Just to confirm I don't have CB Subs installed and this is happening on the main registration page on CB 1.8

I have also just discovered that this is happening even in the admin section too! If I use the CB admin section to create a user then look at the jos_users table the passwords are stored in plain text

Thanks.

Shorn.

ortomedia wrote: Hi,

Is anyone else having issues with plain text passwords? Just to confirm I don't have CB Subs installed and this is happening on the main registration page on CB 1.8

I have also just discovered that this is happening even in the admin section too! If I use the CB admin section to create a user then look at the jos_users table the passwords are stored in plain text

Thanks.

Shorn.

I just tested on a clean J253/CB18 site and passwords are hashed just fine here.
But I am not using CB Auto Actions, so its not a CB bug.

Kyle will follow-up on Auto Action plugin asap.

Can not confirm plain text password storage. CB Auto Actions is capable of doing this, but it requires it to be configured to do it and only the after registration and after login triggers have access to a plaintext password. However, you'd of had to create an action to store it as plaintext.

Disable CB Auto Actions and confirm if plaintext storage is still happening. If not then it's not the culprit and something else installed is conflicting with the registration process. Often this is a Joomla System or User plugin, disable all 3rd party Joomla System and User plugins 1 by 1 until resolved.

If still not resolved after performing the above debug steps please PM backend login credentials and will take a look.

I've edited your thread title. It does no one good to post in all caps (screaming).

Hi Kyle,

Thanks for the reply. I have tested the situation with CB Auto actions disabled and can confirm that the problem still happens.

The confusing thing is that I have an older version test site with exactly the same plugins installed and the only difference I can find between them is the #3354 patch for cb.tables.php and that CB auto actions is installed. I know you have said already that this wouldn't cause these problems but I have no idea how this can just start to happen when all I have been working on is content?

I have disable the mySQL viewer component too as that was installed recently and still the same problem. And just to confirm if I enter the user via CB admin section, the password is plain text. If I add a user via Joomla admin section, password is hashed!!

Very confused now.

oops sorry about the title thread!