Full Disclosure mailing list archives
Re: Flog 1.1.2 Remote Admin Password Disclosure
From: wac <waldoalvarez00 () gmail com>
Date: Sun, 7 Jan 2007 02:59:26 -0500
On 1/5/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said: > This isn't a password disclosure, it's a leak of password information. > > It's a password hash, you super hacker. And given the hash, and knowledge of how the hash is computed, it becomes possible to dictionary-attack (and other related techniques), and thus get the actual passwords, unless there are other things in place to ensure that all users have passwords sufficiently strong to resist those techniques.
yes that's correct but don't forget that hashes can collide it could be the case that: xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need the original strong one ;) so strong password is not a countermesure to that I beleive that is a BIG security hole Regards Waldo And given that this:
> http://remote_server/data/users.0.dat works, the probability that the hashes represent strong passwords is quite close to nil. In any *practical* sense, the fact that the attacker can get the hash and from that extract/compute at least some passwords means that the passwords are *effectively* disclosed, even if the actual bitstring originally retrieved isn't the actual password. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Flog 1.1.2 Remote Admin Password Disclosure corrado.liotta (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Message not available
- Fwd: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 15)