Bugtraq mailing list archives
Re: phpBB Security Bugs
From: Christian Vogel <chris () obelix hedonism cx>
Date: Sat, 22 Feb 2003 11:20:07 +0100
Hi Konrad, Lucas and List, On Fri, Feb 21, 2003 at 11:19:52AM +0100, Konrad Rieck wrote:
I am just wondering... You are talking about guessing a 33-digit hexadecimal number?
No, he was talking about guessing each hex-digit one at a time, so he will need 16*33=528 guesses to exhaust the whole "hash-space". See in Lucas' SQL: mid(user_password,n,1)=char(guess), the "algorithm" goes like this: for(n=0..32){ for(g='0'..'9','A'..'F') if( guessed_right(n,g) ){ hash[n]=g; break; } Chris -- First snow, then silence. This thousand dollar screen dies so beautifully. -- Simon Firth
Current thread:
- phpBB Security Bugs Lucas Armstrong (Feb 20)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)
- Re: phpBB Security Bugs Christian Vogel (Feb 23)
- <Possible follow-ups>
- Re: phpBB Security Bugs Lucas Armstrong (Feb 23)
- Re: phpBB Security Bugs Konrad Rieck (Feb 21)