[Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
wac
waldoalvarez00 at gmail.com
Sun Jan 7 07:59:26 GMT 2007
On 1/5/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password information.
> >
> > It's a password hash, you super hacker.
>
> And given the hash, and knowledge of how the hash is computed, it becomes
> possible to dictionary-attack (and other related techniques), and thus
> get the actual passwords, unless there are other things in place to ensure
> that all users have passwords sufficiently strong to resist those
> techniques.
yes that's correct but don't forget that hashes can collide
it could be the case that:
xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need
the original strong one ;)
so strong password is not a countermesure to that
I beleive that is a BIG security hole
Regards
Waldo
And given that this:
>
> > http://remote_server/data/users.0.dat
>
> works, the probability that the hashes represent strong passwords is quite
> close to nil.
>
> In any *practical* sense, the fact that the attacker can get the hash and
> from that extract/compute at least some passwords means that the passwords
> are *effectively* disclosed, even if the actual bitstring originally
> retrieved
> isn't the actual password.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070107/489d7d3d/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.