[28980] in bugtraq
Re: phpBB Security Bugs
daemon@ATHENA.MIT.EDU (Konrad Rieck)
Fri Feb 21 18:15:12 2003
From: Konrad Rieck <kr@roqe.org>
To: Lucas Armstrong <lucas@cgishield.com>
In-Reply-To: <20030220203725.17263.qmail@www.securityfocus.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0ZL8FBpSXa43X82Mh7cZ"
Message-Id: <1045822791.7155.11.camel@fluffy>
Mime-Version: 1.0
Date: 21 Feb 2003 11:19:52 +0100
--=-0ZL8FBpSXa43X82Mh7cZ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi Lucas & List,=20
On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
> If a correct password hash digit is guessed, the admin's name will show u=
p=20
> as an online user, in the online user list at the bottom of the forum=20
> page. After the password hash is determined, it is then placed in the=20
> cookie and access is granted to the site.
I am just wondering... You are talking about guessing a 33-digit
hexadecimal number?=20
Even if there are 1.000 admin passwords in the hash-space and you
succeed finding one after only searching 10% of space and you are
checking about 1.000.000 hashs per second. You won't finish until the
sun goes nova (which is rather impractical, especially for CPU-
cooling).
I believe this is a theoretical attack against phpBB 2.0, but maybe I
missed some magic in the way phpBB generates these password hashs,
acutally I haven't looked at the code.
Regards,
Konrad=20
--=20
Konrad Rieck <kr@roqe.org> --------------------------------------------+
Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
--=-0ZL8FBpSXa43X82Mh7cZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)
iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy
przfiz56MEEYme82SH609mQ=
=pl6H
-----END PGP SIGNATURE-----
--=-0ZL8FBpSXa43X82Mh7cZ--
