Announcement

**NinjaKiwi** · Tue 18 Aug '20, 3:12pm

Also if we can encrypt it is there a way to get all users to reset their password on next login?

**OrganForum** · Wed 19 Aug '20, 8:21am

A user on my forum has seen this as well, at least twice, most recently, last week, but we've been unable to reproduce.

He was using

Chrome 84.0.4147.105
10.13.6 (OSX)
MacBook Air
VBulletin 5.6.2 PL 1
Standard, top of the page, Forum log in
Not using password manager.
Reported log-in was slow. Had slow connection of under 5 Mbps and "almost non-existent upload speeds" at the time.
Query string with username and password appeared in address bar when log in completed.

AFAIK, it's not possible to log via URL query string. Forum configured per my Sig.

**Wayne Luke** · Wed 19 Aug '20, 8:24am

The software shouldn't use a query string for login. It may be a fallback if the AJAX login fails. JavaScript is required to use vBulletin. Blocking any Javascript at the client level can lead to weird behavior.

To encrypt your site, you should be using a proper security certificate and HTTPS.

**NinjaKiwi** · Wed 19 Aug '20, 2:10pm

Thanks for the replies. In my case javascript was not disabled. First we had some concerned user reports with screen shots - I can't confirm whether they had Javascript enabled or not.
But I then logged in with Chrome (javascript enabled) and observed the username and password in the query string of the URL. I repeated this and saw the same thing.
I thought the passwords in the database would be encrypted, so at least it would just show a hash if this did display?

**Wayne Luke** · Wed 19 Aug '20, 5:19pm

Passwords in the database are hashed, not encrypted. Either using the Argon2id or Blowfish hashing algorithms.

Passwords entered into a form field are plain text. To hash these in an appropriate manner within the browser, it would require additional software on the user's machine. At least as far as I know. Forms are encrypted when sent to the server when you use HTTPS. This is the recommended method. This allows the server to take the submitted password, hash it using the same parameters as the stored password and compare the two. This also allows the system to upgrade the user's password hash if their hash is stored in an older format such as the legacy vBulletin 4 MD5 hash or Blowfish when Argon2ID is available.

I have been trying to recreate this in vBulletin 5.6.3 and cannot do so using the default login forum available in the upper right corner.

**NinjaKiwi** · Wed 19 Aug '20, 6:33pm

Thanks Wayne - I am also on Mac OS as the other person with the same issue reported. Running the latest Chrome and we have the forums under https.

**NinjaKiwi** · Wed 19 Aug '20, 7:45pm

Ok, further to this it looks like login may actually be broken since we recently upgraded to 5.6.2 - I didn't notice because my account stays logged in. But if I log out login actually fails with no error but the username and password show in the URL I can login if I go to the AdminCP and then I'm logged in to the front end as well. But front end log in appears to be broken.
I posted another issue in a seperate thread - Our registration form disappeared after upgrade as well and it was recommended I look at tools.php to rebuild- I have not done this yet as the password showing in the URL was more urgent, we're concerned the server logs would show a lot of usernames and passwords if anyone got hold of it.
But I am wondering now if the two are related - login seems as if it may be broken, as well as the registration page disappearing, and if login is failing that could be why the password shows in the URL as was mentioned above.
Is this a known issue - is there a way to rebuild the login flow as well as the Registration page?
Thanks for your time

**Wayne Luke** · Thu 20 Aug '20, 1:02am

Did you upgrade from a version before 5.6.0? The login functionality was refactored in 5.6.0 and works in a completely different method than before.

If you edited your header module before upgrading to 5.6.2, please revert it. Does the login work properly after that? If you are using a module for login, make sure you're displaying the login_main template.

**NinjaKiwi** · Thu 27 Aug '20, 9:34pm

Hi Wayne,
I am still having the same problems mentioned before. I've just completed upgrade to 5.6.3 and the issues are the same.
The registration page is missing - I used tools.php to rebuild it, and when viewing the server via its IP address I could see a registration form. but it is not present on the live site.
Also login is broken, when you enter username and password login fails and the username and password are shown in the query string in the URL.
I reverted my header templates as advised but still no luck.
The forums are currently live https://forums.ninjakiwi.com/

**Mark.B** · Fri 28 Aug '20, 3:03am

Does the same issue occur if you create a brand new style with no parent, and browse the site using that?
This creates a completely default style with no changes.

**Wayne Luke** · Fri 28 Aug '20, 9:27am

What is the exact content of this Notice:

Welcome to the NK Forums!

These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic. If you have a question and can't make a thread, use the General Questions Thread. Have fun, read the rules and enjoy the NK forums!

**NinjaKiwi** · Mon 31 Aug '20, 3:08pm

Hi Wayne, Hi Mark,
Thanks for your help.

Mark, I've created a new style and made it active - am still seeing the same issue - cannot login - username and password appear in URL query string. Register page does not display form. https://forums.ninjakiwi.com/

Wayne,
I've disabled all notices to see if that made any difference but unfortunately not. The notice you mentioned is not active anymore but the content was:

Code:

<b>Welcome to the NK Forums!</b>
<p>
<p>
These forums require you to create a new account (and activate it) as it does not use your ninjakiwi.com game account. It is recommended that you use the same name to register. Do not take someone else's name. New members will need 5 posts and 1 day before they can create a new topic.

If you have a question and can't make a thread, use the <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/9283-general-questions-thread-and-ask-here-if-you-can-t-make-a-thread">General Questions Thread</a>.

Have fun, <a href="https://forums.ninjakiwi.com/forum/main-forum/help-and-support/107-ninjakiwi-forum-rules">read the rules</a> and enjoy the NK forums!

**Wayne Luke** · Mon 31 Aug '20, 3:21pm

We will need a support ticket and access to the server. I have no idea why it is doing that.

**NinjaKiwi** · Mon 31 Aug '20, 4:11pm

Thanks Wayne - I was about to submit a ticket when I thought about Cloudflare. Have disabled some security settings and presto, it's actually working... Thanks so much for the patience guys.

Announcement

Username and Password shows in query string

Username and Password shows in query string

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment