Full Disclosure mailing list archives
Re: Flog 1.1.2 Remote Admin Password Disclosure
From: endrazine <endrazine () gmail com>
Date: Sun, 07 Jan 2007 16:08:23 +0100
Hi dear list, wac a écrit :
On 1/5/07, *Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>* <Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu> > wrote: On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said: > This isn't a password disclosure, it's a leak of password information. > > It's a password hash, you super hacker.
yes that's correct but don't forget that hashes can collide it could be the case that:
can ? could ? might ? Do you have any mathematical prouve or are you just guessing ?
xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need the original strong one ;)
what hashing algorithm is being use ? Is a collision realistic ? How much time would it take to actually break a given hash ?
so strong password is not a countermesure to that I beleive that is a BIG security hole
At least, the hash was probably not meant to be leaked ;) Now, if you don't answer the above questions by "can", "weak", "very", "< 1 day or so", hence, the word "BIG" is a bit exagereted imho... Regards, endrazine- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Flog 1.1.2 Remote Admin Password Disclosure corrado.liotta (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Message not available
- Fwd: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 15)