[Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
endrazine
endrazine at gmail.com
Sun Jan 7 15:08:23 GMT 2007
Hi dear list,
wac a écrit :
>
>
> On 1/5/07, *Valdis.Kletnieks at vt.edu <mailto:Valdis.Kletnieks at vt.edu>*
> <Valdis.Kletnieks at vt.edu <mailto:Valdis.Kletnieks at vt.edu> > wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password
> information.
> >
> > It's a password hash, you super hacker.
>
>
> yes that's correct but don't forget that hashes can collide
>
> it could be the case that:
>
can ? could ? might ? Do you have any mathematical prouve or are you
just guessing ?
> xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even
> need the original strong one ;)
>
what hashing algorithm is being use ? Is a collision realistic ? How
much time would it take to actually break a given hash ?
> so strong password is not a countermesure to that
>
> I beleive that is a BIG security hole
>
At least, the hash was probably not meant to be leaked ;)
Now, if you don't answer the above questions by "can", "weak", "very",
"< 1 day or so", hence, the word "BIG" is a bit exagereted imho...
Regards,
endrazine-
Full-Disclosure is hosted and sponsored by Secunia.