strange login problem since upgrading to jml 2.5.19 -pls help

[slammy]

Hi Vm-Community,

I have an urgent and very fat problem: Mid of March I did the joomla-update from jml 2.5.17 to 2.5.19. I use vm 2.0.24a on my live site. Php Server-version is 5.4. No account activation is default Setting at us.

The last days we recieved emails from clients who asked for help because they could not login or register on our website. Trying out the registration, I found out that no account creation is possible anymore. If I register an account, it both says after registration: "Registration completed" and "Username and passwort does not match". Using the function to reset the password does not help, even if the admin is setting a new pwd for the user in BE, the user can´t login. What first was confusing to me,  that we did have orders last days, from europe and outside. The Thing is, that it´s possible to create the order and process it to its end while the users are logged in with help of the session-data. If they logout, they cannot login anymore with the password. I did take a deeper look into some tables at the db, but couldn´t find any differnces between the old user-entrys and new ones. BUT: If I copy a known old md5 passwort-hash from a extisting old user  to a new registered account, the login works and no errormessage is displayed. If the user changes the Password again, the login is again broken.

Of course I backup my site and dump the db to do some testing today and played around with installing vm 2.0.26d and jml 2.5.18 and jml 2.5.19 in sequential steps. As far as I upgrade to 2.5.18, the registration does not work anymore. I did read something about a change concerning the crypted hashes from md5 to bcrypt or changes regarding something named PHPASS what sound slike authentication.

If I downgrade again to jml 2.5.17 - both with vm 2.0.24a and vm 2.0.26d - the account registration works as expected. Of course I know that this is shit because 2.5.17 is insecure.

I have only two extern plugins: direct debit Mandate and eu vat checker, of course I tested it both deactivated and with new installations of the new versions.

I really need some input. What is wrong with my site? Do other people have been facing this problem and how did you solve it?
would appreciate any help. thx and regards jens

 

[Milbo]

As far as I know the problem is in joomla itself.

Of course I backup my site and dump the db to do some testing today and played around with installing vm 2.0.26d and jml 2.5.18 and jml 2.5.19 in sequential steps. As far as I upgrade to 2.5.18, the registration does not work anymore. I did read something about a change concerning the crypted hashes from md5 to bcrypt or changes regarding something named PHPASS what sound slike authentication.

Yes, there is the trouble.

[slammy]

hi milbo,
thx for your reply. hope you´re doing fine. What do you recommend me to do concerning my update-strategy joomla 3.x and vm 2.1 or 2.5.5 yet? It´s not clear to me if joomla 3 will be an installable update for 2.5.x or does it need a fresh installation and if vm 2.1|2.5.5 too?  Besides, the file notation and ordering at dev.virtuemart.net confuses me a bit. Is vm 2.5.5 "higher" than vm 2.1? It seems I am a bit outdated and have to read the threads concerning the upcoming changes in jml and vm... regards jens

[Milbo]

vm2.1 is atm internally vm2.9 will be released as RC named VM3. Actually the whole thing is strange, because the j2.5.19 should have a fix running at least at php 5.3.10. Maybe you have some plugin activated? You can use different encryption methods imho. So maybe you just need to disable that plugin.

I would not use joomla 3. They are still doing important security fixes for j2.5, I would stay with it. If you update to j3.2 now, you have to update to j3.3 and j3.5. I think it is better to update directly j2.5 to j3.5, there will be a decent migrator/updater or joomla provides already one. The problems come with all the other extensions. They list often they are compatible to the j3, but sometimes they were compatible for j3.0,.. then you update to j3.1, but the extension does not work anylonger and the developer says he will do it the next months. Then you want to buy another extension for j3.1, but it does not work on j3.0, because they portet their extension later. So you must wait, then there comes j3.2,.. then you update to j3.2, because the guys of the first extension directly made the step from j3.0 to j3.1, ..... and you have kind of this games for any STR. They say the STR is stable, but if it would be stable, there wouldnt be a need for a STR. It could be directly a LTR.

These are the problems. Virtuemart 3 will be released for j3.3 (in case they keep the 1. april).

[jenkinhill]

22 April is now the proposed release date for J3.3 (stable)  - http://community.joomla.org/blogs/leadership/1812-update-on-the-joomla-33-release-schedule.html

[slammy]

Thank you both for your information and milbo for clarifying some important points to me.

vm2.1 is atm internally vm2.9 will be released as RC named VM3. Actually the whole thing is strange, because the j2.5.19 should have a fix running at least at php 5.3.10. Maybe you have some plugin activated? You can use different encryption methods imho. So maybe you just need to disable that plugin.

milbo, did I understand you right: if I downgrade from php5.4 to at least php 5.3.10, then the registration could work again with 2.5.19? Did you mean standard joomla plugins or from installed extensions and concerning the encryption settings, you meant the settings in php not the installed modules for apache or? greetz jens

[Milbo]

I meant joomla plugins. Actually I dont know how they handled it now. In any case you should always use the latest version of a series, atm php5.3.27.

[slammy]

Milbo, thanks for your time. Will see if I can handle the problem with changing authentication-settings at joomla. will post my finals and solution here if I find one. regards jens

[slammy]

Ok, my solution to this: Reinstall sequentially joomla 2.5.16, 2.5.17, 2.5.18, 2.5.19. Now authentication does work fine again. Cannot say if my base-installation was corrupted maybe ...