[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200701052112.l05LCfuG015995@turing-police.cc.vt.edu>
Date: Fri, 05 Jan 2007 16:12:41 -0500
From: Valdis.Kletnieks@...edu
To: T Biehn <tbiehn@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, milw0rm <submit@...w0rm.com>
Subject: Re: Flog 1.1.2 Remote Admin Password Disclosure
On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> This isn't a password disclosure, it's a leak of password information.
>
> It's a password hash, you super hacker.
And given the hash, and knowledge of how the hash is computed, it becomes
possible to dictionary-attack (and other related techniques), and thus
get the actual passwords, unless there are other things in place to ensure
that all users have passwords sufficiently strong to resist those techniques.
And given that this:
> http://remote_server/data/users.0.dat
works, the probability that the hashes represent strong passwords is quite
close to nil.
In any *practical* sense, the fact that the attacker can get the hash and
from that extract/compute at least some passwords means that the passwords
are *effectively* disclosed, even if the actual bitstring originally retrieved
isn't the actual password.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists