vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   unethical question re: password logging (https://vborg.vbsupport.ru/showthread.php?t=149119)

dizzine 06-07-2007 09:19 AM

unethical question re: password logging
 
ignoring the obvious ethical issues :rolleyes: are there any hacks that can log the plain text password of users as they login to the forum?

providing users are informed that logging takes place i dont see a problem.

Dismounted 06-07-2007 11:40 AM

Possible, but no modifications have been released for this and I doubt there will be. Additionally, passwords are zapped (encrypted) on submission. But that can be turned off.

dizzine 06-07-2007 01:46 PM

im speculating here as a non coder but couldnt the plain text password be 'interupted' before the db md5 hash query and sent to a .txt file in the forum file structure..

should be a simple bit of code..just wish i had studied software in school all those years ago..lol:D

nexialys 06-07-2007 01:48 PM

by editing the <form to not have the passwordMD5 part, sure it is... so you md5 the password inside the record process instead... 2 edits...

this is less secure, as the data can be extracted on process, but if that's what you want...

why this btw ?!

dizzine 06-07-2007 02:04 PM

curiosity really..
someone asked me how secure a vbulletin pwd was and ever since ive been wondering how to get round the md5 encryption..no other reason..
vbulletin is very secure it seems, double md5 hash plus salt..a reverse lookup of a vB hash is nigh on impossible..

in this situation keeping the md5 hash intact would be the best option and just using a line of code to output the raw text to a file during login..just wish i knew .php/mysql

i know there are lots of frowns about this subject but if you own the license/forum and are open about what youre trying to do then i dont think there should be issues worth raising in relation to such a mod/hack.

Brad 06-07-2007 02:19 PM

All you have to do is remove some javascript and catch the plaintext in the php code before it's hashed.

dizzine 06-07-2007 02:25 PM

hehe..you make it sound sooo easy Brad..:p
x

nexialys 06-07-2007 02:33 PM

Quote:

Originally Posted by dizzine (Post 1263288)
hehe..you make it sound sooo easy Brad..:p
x

hey, i made it as simple BEFORE BRAD... lol

and actually, the only reason someone would make this possible is to enable the possibility to grab your "forgotten password" without reseting it...

i've done that for a client one day... he lost his time as all the members that needed password extraction were using the reset process anyway.. lol

dizzine 06-07-2007 02:43 PM

oh yeah sorry nexialys.. :o
im still none the wiser as to the code/js needed..but im guessing providing someone knew the ftp user account details a form can be modded to provide a method of grabbing text pwds before they get hashed/compared..

so in essence regardless of how pwds are stored the only really important pwd is the admins ftp account..sheesh..!!

Brad 06-07-2007 06:54 PM

Quote:

Originally Posted by dizzine (Post 1263303)
oh yeah sorry nexialys.. :o
im still none the wiser as to the code/js needed..but im guessing providing someone knew the ftp user account details a form can be modded to provide a method of grabbing text pwds before they get hashed/compared..

so in essence regardless of how pwds are stored the only really important pwd is the admins ftp account..sheesh..!!

Well a proper modification would catch the plaintext version and hold it in memory until the user is logged in. If the user managed to log-in we know that password is good and we can store it somewhere for whenever it's needed.

The main problem with this is removing the bit of javascript in the navbar. You see it will hash the password on the client side before sending it off to the server (if the client has javascript on that is). This was done in the name of security...someone can't grab the plaintext version in-route to your server in other words.

I'm not interested in coding such a thing just because it doesn't catch my fancy but I'm sure some one around here would be willing to do it for you if you really wanted it.

You could always just hack out the hashing and store the passwords as plaintext in the database (you're doing it anyway in my above example ;)). But hey, wheres the fun in that?

UltimateOreo! 06-07-2007 07:06 PM

Well, you could just remove all of the md5 coding, you could just go into phpmyadmin. Although, I wouldn't even try something as stupid as that. WAY too insecure.

Dismounted 06-08-2007 09:55 AM

I'm sure Marco posted a constant so that they wouldn't be zapped, without the need to edit any JS.

dizzine 06-09-2007 08:20 AM

having no hashing is not an option..
anyone want to earn a few notes writing me some code..?
happy to pay and keep it all private if you wish..
thanks all, very interesting topic.
diz
x

Dismounted 06-09-2007 10:49 AM

You don't understand...We're not saying to disable the MD5 hashing. The problem is that vBulletin automatically hashes the input before it even reaches the server.

dizzine 06-09-2007 12:48 PM

i do get it, just..but one of the suggestions was to turn off hashing and store plain text in the db..thats what i meant when i said 'not an option'..
i guess i need code/js to grab the plain text before vbulletin sees it..is that nearer the mark?
ty
diz

Dismounted 06-10-2007 03:04 AM

You can turn off having vBulletin hashing it before it reaches the server. No matter what path you go down, you would have to do that.

Dave Hawley 06-10-2007 09:15 AM

I'm shocked that this Threads lasted the time it has! While the OP may not have bad intentions, anyone can read this thread!

dizzine 06-11-2007 11:36 AM

yeah youre right Dave..maybe too much info in this thread for the general consu,er, though as there really is no easy way around the issue i originally posted i think the community is safe..

one final question not really relating to the original topic..
when you turn off or remove the hashing of passwords, does that mean everyone has to enter new ones the next time they log in?


All times are GMT. The time now is 10:29 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01032 seconds
  • Memory Usage 1,748KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (18)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete