Bugtraq mailing list archives
Re: phpBB Security Bugs
From: Konrad Rieck <kr () roqe org>
Date: 21 Feb 2003 11:19:52 +0100
Hi Lucas & List, On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
If a correct password hash digit is guessed, the admin's name will show up as an online user, in the online user list at the bottom of the forum page. After the password hash is determined, it is then placed in the cookie and access is granted to the site.
I am just wondering... You are talking about guessing a 33-digit hexadecimal number? Even if there are 1.000 admin passwords in the hash-space and you succeed finding one after only searching 10% of space and you are checking about 1.000.000 hashs per second. You won't finish until the sun goes nova (which is rather impractical, especially for CPU- cooling). I believe this is a theoretical attack against phpBB 2.0, but maybe I missed some magic in the way phpBB generates these password hashs, acutally I haven't looked at the code. Regards, Konrad -- Konrad Rieck <kr () roqe org> --------------------------------------------+ Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub | Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- phpBB Security Bugs Lucas Armstrong (Feb 20)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)
- Re: phpBB Security Bugs Christian Vogel (Feb 23)
- <Possible follow-ups>
- Re: phpBB Security Bugs Lucas Armstrong (Feb 23)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)