Re: Flog 1.1.2 Remote Admin Password Disclosure

[endrazine <endrazine () gmail com>]

Hi dear list,

wac a écrit :
> On 1/5/07, *Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu>* 
> <Valdis.Kletnieks () vt edu <mailto:Valdis.Kletnieks () vt edu> > wrote:
>
>     On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
>     > This isn't a password disclosure, it's a leak of password
>     information.
>     >
>     > It's a password hash, you super hacker.

> yes that's correct but don't forget that hashes can collide
>
> it could be the case that:
can ? could ? might ? Do you have any mathematical prouve or are you 
just guessing ?

> xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even 
> need the original strong one ;)
what hashing algorithm is being use ? Is a collision realistic ? How 
much time would it take to actually break a given hash ?
> so strong password is not a countermesure to that
>
> I beleive that is a BIG security hole
At least, the hash was probably not meant to be leaked ;)
Now, if you don't answer the above questions by "can", "weak", "very", 
"< 1 day or so", hence, the word "BIG" is a bit exagereted imho...

Regards,

endrazine-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/