Announcement

Collapse
No announcement yet.

Authenticate against Miva's users database?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Authenticate against Miva's users database?

    I've been coding some maintenance tools in Perl and PHP to be run from our site's cgi-bin directory, and was thinking of having the tools ask for a login to improve security. This login would ask for a Miva username and password and then authenticate against users.dbf.

    Problem is, I don't know how Miva encrypts the users' passwords. I remember reading somewhere that the actual encryption method used by Miva depends on the server it's running on, but not how it implements this mystery encryption method so I could attempt running it from the shell. I know enough that they're not md5 or sha1 hashes.

    I suppose I'm looking for one of two things:
    1. Learn how Miva uses a server/shell's encryption method so I can implement this in my own Perl/PHP script.
    2. Find a way to run a password through miva/mivavm and have it spit out the encrypted password.

    #2
    Re: Authenticate against Miva's users database?

    If it's Merchant 4, the users.dbf uses the traditional DES-based unix crypt encryption, old Merchant 5 does too, newer Merchant 5 uses SHA1.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Re: Authenticate against Miva's users database?

      It would be a good idea to scrap the SHA1 authentication as way too simple and non-secure. It has been proven that SHA1 encrypted passwords can be cracked in well under 1 hour (6 passwords in 49 minutes), using Amazon's EC2 cloud instance running $2.10/hr for computing resources. At those rates any hacker or anyone with some basic Linux knowledge and a few quarters can crack passwords in no time - as very detailed instructions have been posted on the net last week.

      Comment

      Working...
      X