Re: Flog 1.1.2 Remote Admin Password Disclosure

[Valdis.Kletnieks () vt edu]

On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> This isn't a password disclosure, it's a leak of password information.
>
> It's a password hash, you super hacker.

And given the hash, and knowledge of how the hash is computed, it becomes
possible to dictionary-attack (and other related techniques), and thus
get the actual passwords, unless there are other things in place to ensure
that all users have passwords sufficiently strong to resist those techniques.

And given that this:

> http://remote_server/data/users.0.dat

works, the probability that the hashes represent strong passwords is quite
close to nil.

In any *practical* sense, the fact that the attacker can get the hash and
from that extract/compute at least some passwords means that the passwords
are *effectively* disclosed, even if the actual bitstring originally retrieved
isn't the actual password.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/