Bugtraq mailing list archives
Re: phpBB Security Bugs
From: Lucas Armstrong <lucas () cgishield com>
Date: 22 Feb 2003 03:40:58 -0000
In-Reply-To: <1045822791.7155.11.camel@fluffy> Konrad, This particular SQL Injection technique makes it possible to isolate each hex digit in the md5 hash, and allows you to guess that digit's particular value. Each digit would be guessed in 16 tries or less. Since there are 32 digits in an md5 hash, there would be a maximum number of 512 guesses to determine any particular password hash. Again, the key to this exploit is isolating the guess to one digit at a time, then moving on to the next digit, not trying to guess the entire 32 digit string in one fell swoop which would indeed take an incredible amount of time. -David
Received: (qmail 7140 invoked from network); 21 Feb 2003 21:21:16 -0000 Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
by mail.securityfocus.com with SMTP; 21 Feb 2003 21:21:16 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing.securityfocus.com (Postfix) with QMQP id C92968F312; Fri, 21 Feb 2003 14:08:51 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 28784 invoked from network); 21 Feb 2003 10:14:48 -0000 Subject: Re: phpBB Security Bugs From: Konrad Rieck <kr () roqe org> To: Lucas Armstrong <lucas () cgishield com> In-Reply-To: <20030220203725.17263.qmail () www securityfocus com> References: <20030220203725.17263.qmail () www securityfocus com> Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-0ZL8FBpSXa43X82Mh7cZ"
Organization: Roqefellaz Message-Id: <1045822791.7155.11.camel@fluffy> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 21 Feb 2003 11:19:52 +0100 --=-0ZL8FBpSXa43X82Mh7cZ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Lucas & List,=20 On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:If a correct password hash digit is guessed, the admin's name will show
u=
p=20as an online user, in the online user list at the bottom of the forum=20 page. After the password hash is determined, it is then placed in the=20 cookie and access is granted to the site.I am just wondering... You are talking about guessing a 33-digit hexadecimal number?=20 Even if there are 1.000 admin passwords in the hash-space and you succeed finding one after only searching 10% of space and you are checking about 1.000.000 hashs per second. You won't finish until the sun goes nova (which is rather impractical, especially for CPU- cooling). I believe this is a theoretical attack against phpBB 2.0, but maybe I missed some magic in the way phpBB generates these password hashs, acutally I haven't looked at the code. Regards, Konrad=20 --=20 Konrad Rieck <kr () roqe org> --------------------------------------------+ Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub | Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+ --=-0ZL8FBpSXa43X82Mh7cZ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy przfiz56MEEYme82SH609mQ= =pl6H -----END PGP SIGNATURE----- --=-0ZL8FBpSXa43X82Mh7cZ--
Current thread:
- phpBB Security Bugs Lucas Armstrong (Feb 20)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)
- Re: phpBB Security Bugs Christian Vogel (Feb 23)
- <Possible follow-ups>
- Re: phpBB Security Bugs Lucas Armstrong (Feb 23)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)