Home/ Questions/Q 7814307
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T05:09:24+00:00

I am working with the moodle system, but it turns out that it uses

  • 0

I am working with the moodle system, but it turns out that it uses md5 salt hashing. I found some come, so maybe you could explaint it to me because I am have only basic knowledge of php.

function validate_internal_user_password($user, $password) {
global $CFG;

if (!isset($CFG->passwordsaltmain)) {
    $CFG->passwordsaltmain = '';
}

$validated = false;

if ($user->password === 'not cached') {
    // internal password is not used at all, it can not validate

} else if ($user->password === md5($password.$CFG->passwordsaltmain)
        or $user->password === md5($password)
        or $user->password === md5(addslashes($password).$CFG->passwordsaltmain)
        or $user->password === md5(addslashes($password))) {
    // note: we are intentionally using the addslashes() here because we
    //       need to accept old password hashes of passwords with magic quotes
    $validated = true;

} else {
    for ($i=1; $i<=20; $i++) { //20 alternative salts should be enough, right?
        $alt = 'passwordsaltalt'.$i;
        if (!empty($CFG->$alt)) {
            if ($user->password === md5($password.$CFG->$alt) or $user->password === md5(addslashes($password).$CFG->$alt)) {
                $validated = true;
                break;
            }
        }
    }
}

if ($validated) {
    // force update of password hash using latest main password salt and encoding if needed
    update_internal_user_password($user, $password);
}

return $validated;

}

Would it be hard to change it that after entering simple text it would became hashed?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is a password validation with some legacy password in them.

    There are 5 forms of passwords it will allow:

    • md5(password)
    • md5(addslashes(password))
    • md5(password + generic salt)
    • md5(addslashed) + generic salt)
    • md5(password + saltX)

    First things first, what is md5? md5 is “message digest 5”. Long story short it’s a function to transforms a string into a 32 character string call a hash. The main property of the hash is that it’s hard (as in computationally hard) to get the original string back. Ideal for storing passwords, right? 🙂

    But a password alone is not enough. Imagine your password is “dragon” (very bad password btw). If you happen to know that “dragon” is “8621ffdbc5698829397d97767ac13db3” in md5 you can know the password just by looking at the hash. So you add what is called a ‘salt’. Which is just another word to add to the password before hashing.

    If your salt is “notsob1gs3cret” the password is essentially “dragonnotsob1gs3cret” which results in: “c47948e6b966357f1b9a3732c4ee7c72” which doesn’t look anything like “8621ffdbc5698829397d97767ac13db3”. This is another property of a hash, input that is similar should produce output that is not at all similar, enough to be almost as similar as any random word.

    If your attacker has never seen the salt “notsob1gs3cret” it wont be so easy for him to guess the original password.

    So about your code. Disregard the addslashes, that is probably from some legacy bug. It looks like someone tried to add a salting mechanism later on and still wanted all the old password to work, but it looks a bit clumsy. Ideally you’d only have one valid password mechanism and upgrade your weaker security.

    There are 20 different salts, which is a fair idea I suppose .. but the code doesn’t seem to know which one was used .. so it tries all of them? That’s weird and could potentially be unsafe.

    To hash a bit of text just do:

    $text = "a bit of text";
var_dump(md5($text));
    • 0