[16257] in bugtraq
Re: Neoboard 3.0 insecurely creates passwords
daemon@ATHENA.MIT.EDU (Signal 11)
Tue Aug 15 16:51:12 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <NEBBKPCNALMEJENIHFBIMEAPCAAA.signal11@mediaone.net>
Date: Mon, 14 Aug 2000 14:05:05 -0500
Reply-To: Signal 11 <signal11@MEDIAONE.NET>
From: Signal 11 <signal11@MEDIAONE.NET>
X-To: jonathan@leto.net
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000811175738.A24138@leto.net>
> All passwords are generated with a salt of ".v" . This isn't a
> huge security hole, but if someone gets to the hashes in your
> database, it will be a lot easier to crack them.
This is particularily objectionable because PHP will happily
generate a random salt by simply omitting one. The only reason
one should specify a salt is when encrypting a password to
compare it to the one in the database. Just extract the first
two letters from the string and pass that to the crypt function -
you can do all of it on one line. :/
~ Signal 11
