Log in

View Full Version : Big exploit issue (can easily get admin's hash)

Dominic
02-27-2007, 01:40 PM
<a href="http://www.securityfocus.com/bid/22575" target="_blank">http://www.securityfocus.com/bid/22575</a>

Big exploit issue. They can easily get admin's hash. Might want to fix this if you haven't already.
Shazz
02-27-2007, 02:10 PM
2.6.0 just came out :|
Dominic
02-27-2007, 02:12 PM
Well i didn't see it since it wasn't posted in this forum so i didn't bother looking.
Shazz
02-27-2007, 02:18 PM
Well i didn't see it since it wasn't posted in this forum so i didn't bother looking.

He hasen't made the announcment yet -.-

heres to save the time looking

https://vborg.vbsupport.ru/showthread.php?t=101554&highlight=iproarcade
:p
gmatrix
02-28-2007, 09:22 PM
Has this actually been fixed in the new release and what is the admins hash anyways?
MrZeropage
03-01-2007, 12:57 PM
This is fixed in v2.6.0+ and that is exactly the issue that is meant with "fixed security issue" in the release-history

That's why I told everybody to upgrade to v2.6.0+ so nobody has to worry :)


Well i didn't see it since it wasn't posted in this forum so i didn't bother looking. I have my eyes everywhere ;)




btw: the hash of any passwort (admin or not) does not help about anything, as the password is "double-hashed" using a random 3-character-value between the hashes so that having the hash it still is impossible to re-calculate the real password behind it :)
nitro
03-01-2007, 02:23 PM
It makes no difference how many hashes or random characters used, it only takes a vulnerability that would permit the altering of the email address field for a specific ID in the user table and theres instant escalated privelages once a password reset is made.

Alternatively an attacker can simply inject the random characters (salt) for the hash and a respective hash to the respective fields on a userid in the user table and your in when you use the new password.

Not digging at ibPro as Mr Z knows, but for others information thats how easy it is to have a vbulletin admin account compromised, it only takes one bad vulnerability somewhere, allways use additonal security like htaccess, keep all your hacks up to date and be prepared to disable or even remove files for any addons if the need should arise. Its highly unlikely your vbulletin password would be retrieved, but gaining privelaged access is a different story.
MrZeropage
03-01-2007, 05:06 PM
I just explained the "They can easily get admin's hash" ;)


Anyway, this got fixed quickly and (as even told in the update-notification-mail sent to all who clicked INSTALL for ibProArcade) I recommend everybody to update to v2.6.0+