TYPO3 Core

When the ext 'kb_md5fepw' is configured to work with the login forms of 'felogin', (and the registration form of 'sr_feuser_register'), the password is md5 encrypted before being sent back to the database.

Now the new ' Forgot your password? ' form in ext ' felogin ' works as expected, ie it successfully sends back the new password to fe_user table but in plain text.

Here the lies problem; when a website fe user goes to login after they have submitted a password change the encrypted password being submitted by the 'felogin' form doesn't match the non encrypted password for that user that was inserted in plain text from the 'new/change password' form.

A quick fix for this is to md5 the submitted changed password in this file,noting that the new code checks if ' kb_md5fepw ' installed:

/typo3_src-4.3.2/typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php

At line 269 change:

$newPass = $postData['password1'];

to

$newPass = t3lib_extMgm::isLoaded('kb_md5fepw')?md5($postData['password1']):$postData['password1'];

Please note this is only a workaround to have the 'Forgot your password?' form be aware of extenion ' kb_md5fepw ' being loaded and the need for the plain text password being submitted converted with md5 before updating to database.

Since ' kb_md5fepw ' is about encrypting the password on the client side before being sent back to the website then the better solution would be to make the actual subpart template in file /typo3_src-4.3.2/typo3/sysext/felogin/template.html work like the main subpart template works with ' kb_md5fepw ', and that is to check/modify field values upon form submit.

Also, there perhaps should be client side javascript checking the 'Forgot your password?' form fields password1 & password2 to see that the submitted value are:

- alpha numeric only
- at least 6 characters long
- and both password1 & password2 field values match
(issue imported from #M14101)