Force Admin Password

From Davical
Jump to navigationJump to search

You can force an administrator (or any user) password with a short piece of SQL:

UPDATE usr SET password = '**password' WHERE user_no=1;

Assuming the administrator is user number 1 (which will normally be the case) their password will then be 'password'.

Security Implications

Any new password set in this manner will be visible in the SQL until it is changed.

When passwords are changed through the administrative interface they are stored as salted hashes (md5, or SHA1), which are not knowable from the visible value. With a salted hash, even when two people use the same password, there will still be different values in their password field, and the administrator cannot casually know what the password is.

Password Formats

The password is stored in three formats. The formats are distinguished from each other by the initial characters.

Plain Text Passwords

If the first two characters are '**' then the rest of the string is the plain text password. Plain text passwords are useful for an administrator to be able to force a particular password through SQL, but the application will always use salted hash passwords.

MD5 salted hash

If the password is *<salt>* (where <salt> is a random series of characters not including '*') then the rest of the string is a hash of (password + salt), i.e. a salted hash.

SSHA Passwords

If you are using PHP 5.0 or later, DAViCal will use SSHA passwords rather than md5 salted hash. The SSHA password is compatible with passwords used in LDAP, so the hashed values may be copied directly, albeit with some additional formatting in the DAViCal value. SSHA passwords also use the SHA-1 hashing algorithm, rather than md5, for some additional security.

The format, in this case, is "*<salt>*<LDAP compatible SSHA password>" and the <LDAP compatible SSHA password> is "{SSHA}<SHA-1 salted hash>". Read the code in /usr/share/awl/inc/AWLUtilities.php if you want to understand that format more deeply!

Granting Admin Privileges

The initial 'admin' user is not in any way special. You can grant admin rights to any user through editing the user page, or if you're desperate through inserting a new row into the 'role_member' table with a appropriate user_no and role_id (see the roles table).

Humorous Note

The use of two servers against the same DAViCal database can cause password issues if the administrative interface is access through a machine running PHP 5, and password changes are made, while the calendar is accessing via a machine running PHP 4, since the calendar access will not be able to decode the SSHA passwords, and access will be denied. So don't do that (yes, someone did :-)