[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
- From: endrazine <endrazine@xxxxxxxxx>
- Date: Sun, 07 Jan 2007 16:08:23 +0100
Hi dear list,
wac a écrit :
>
>
> On 1/5/07, *Valdis.Kletnieks@xxxxxx <mailto:Valdis.Kletnieks@xxxxxx>*
> <Valdis.Kletnieks@xxxxxx <mailto:Valdis.Kletnieks@xxxxxx> > wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password
> information.
> >
> > It's a password hash, you super hacker.
>
>
> yes that's correct but don't forget that hashes can collide
>
> it could be the case that:
>
can ? could ? might ? Do you have any mathematical prouve or are you
just guessing ?
> xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even
> need the original strong one ;)
>
what hashing algorithm is being use ? Is a collision realistic ? How
much time would it take to actually break a given hash ?
> so strong password is not a countermesure to that
>
> I beleive that is a BIG security hole
>
At least, the hash was probably not meant to be leaked ;)
Now, if you don't answer the above questions by "can", "weak", "very",
"< 1 day or so", hence, the word "BIG" is a bit exagereted imho...
Regards,
endrazine-
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/