Login failure after upgrade

KarlEngstrom

Hello all-

I recently upgraded a client's ZP from 1.4.0.x to 1.4.2 (because of the tinymce security hole) and ran across a couple things that might be worth sharing.

After the upgrade was complete I logged out of ZP & attempted to log back in with failure. I tried the owners administrative account with failure too. I checked the MD5 password hashes in the DB against my notes from the last upgrade and they matched. Still no love.

I then used "I forgot my User ID/Password" which brought me to the challenge "What is your father's middle name?". Neither the owner or I had ever set challenge questions in ZP, probably our bad. Anyway, I was able to enter a blank response to the challenge and change my password (which now required a password including a special character) and all was good. I was able to change the owners password accordingly and I set challenge/response for both of us.

Point being, unless I missed something, the lockout was unexpected and the default challenge seems to be a hole (at lease in our situation).

Did I miss something and has anyone else run across this?

Thanks
Karl

sbillard

The issue with the empty response is known and fixed in the nightly builds. Fortunately it only succeeds if you know the user name.

KarlEngstrom

Thanks for the response Chief, I was wondering if I had missed something. Before upgrading to 1.4.0.x the gallery sat on 1.0.4 or something for the longest time and was fearing that some old code was lingering. I'll check on the nightly's to further tighten it up.
K

sbillard

Also that you were upgrading from something around the 1.0.x timeframe does likely explain the logon failure. Back then the password was stored in cleartext. Now it is hash coded so a check of a hash code against a cleartext would surely fail.