![]() |
Big exploit issue (can easily get admin's hash)
<a href="http://www.securityfocus.com/bid/22575" target="_blank">http://www.securityfocus.com/bid/22575</a>
Big exploit issue. They can easily get admin's hash. Might want to fix this if you haven't already. |
2.6.0 just came out :|
|
Well i didn't see it since it wasn't posted in this forum so i didn't bother looking.
|
Quote:
heres to save the time looking https://vborg.vbsupport.ru/showthrea...ght=iproarcade :p |
Has this actually been fixed in the new release and what is the admins hash anyways?
|
This is fixed in v2.6.0+ and that is exactly the issue that is meant with "fixed security issue" in the release-history
That's why I told everybody to upgrade to v2.6.0+ so nobody has to worry :) Quote:
btw: the hash of any passwort (admin or not) does not help about anything, as the password is "double-hashed" using a random 3-character-value between the hashes so that having the hash it still is impossible to re-calculate the real password behind it :) |
It makes no difference how many hashes or random characters used, it only takes a vulnerability that would permit the altering of the email address field for a specific ID in the user table and theres instant escalated privelages once a password reset is made.
Alternatively an attacker can simply inject the random characters (salt) for the hash and a respective hash to the respective fields on a userid in the user table and your in when you use the new password. Not digging at ibPro as Mr Z knows, but for others information thats how easy it is to have a vbulletin admin account compromised, it only takes one bad vulnerability somewhere, allways use additonal security like htaccess, keep all your hacks up to date and be prepared to disable or even remove files for any addons if the need should arise. Its highly unlikely your vbulletin password would be retrieved, but gaining privelaged access is a different story. |
I just explained the "They can easily get admin's hash" ;)
Anyway, this got fixed quickly and (as even told in the update-notification-mail sent to all who clicked INSTALL for ibProArcade) I recommend everybody to update to v2.6.0+ |
All times are GMT. The time now is 04:19 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
![]() |
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|