Full Disclosure mailing list archives
Re: Flog 1.1.2 Remote Admin Password Disclosure
From: Valdis.Kletnieks () vt edu
Date: Fri, 05 Jan 2007 16:12:41 -0500
On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
This isn't a password disclosure, it's a leak of password information. It's a password hash, you super hacker.
And given the hash, and knowledge of how the hash is computed, it becomes possible to dictionary-attack (and other related techniques), and thus get the actual passwords, unless there are other things in place to ensure that all users have passwords sufficiently strong to resist those techniques. And given that this:
http://remote_server/data/users.0.dat
works, the probability that the hashes represent strong passwords is quite close to nil. In any *practical* sense, the fact that the attacker can get the hash and from that extract/compute at least some passwords means that the passwords are *effectively* disclosed, even if the actual bitstring originally retrieved isn't the actual password.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Flog 1.1.2 Remote Admin Password Disclosure corrado.liotta (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Message not available
- Fwd: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 15)