TYPO3 Core

When a record is using a plain MD5 password, EXT:saltedpasswords will end by destroying the password after 2 edits of the records.

Problem is as follows:

1st time the record is being edited (without any change to the password field), the password field is evaluated by tx_saltedpasswords_eval with following code:

if ($isEnabled) {
    $set = FALSE;
    $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
    $isSaltedHash = t3lib_div::inList('$1$,$2$,$2a,$P$', substr($value, 0, 3));

    $this->objInstanceSaltedPW = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL, $this->mode);

    if ($isMD5) {
        $set = TRUE;
        $value = 'M' . $this->objInstanceSaltedPW->getHashedPassword($value);
    } elseif (!$isSaltedHash) {
        $set = TRUE;
        $value = $this->objInstanceSaltedPW->getHashedPassword($value);
    }
}

The password (plain MD5) is found to be md5 ($isMD5 = TRUE) and is salt-hashed and prefixed with "M".

Next time the record is edited, the password is already salted but prefixed with "M" and as thus $isMD5 = FALSE and $isSaltedHash = FALSE, which leads to salt-hash the already-salted hash a second time which in turn... destroys the password altogether.