The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
unethical question re: password logging
ignoring the obvious ethical issues are there any hacks that can log the plain text password of users as they login to the forum?
providing users are informed that logging takes place i dont see a problem. |
#2
|
||||
|
||||
Possible, but no modifications have been released for this and I doubt there will be. Additionally, passwords are zapped (encrypted) on submission. But that can be turned off.
|
#3
|
|||
|
|||
im speculating here as a non coder but couldnt the plain text password be 'interupted' before the db md5 hash query and sent to a .txt file in the forum file structure..
should be a simple bit of code..just wish i had studied software in school all those years ago..lol |
#4
|
|||
|
|||
by editing the <form to not have the passwordMD5 part, sure it is... so you md5 the password inside the record process instead... 2 edits...
this is less secure, as the data can be extracted on process, but if that's what you want... why this btw ?! |
#5
|
|||
|
|||
curiosity really..
someone asked me how secure a vbulletin pwd was and ever since ive been wondering how to get round the md5 encryption..no other reason.. vbulletin is very secure it seems, double md5 hash plus salt..a reverse lookup of a vB hash is nigh on impossible.. in this situation keeping the md5 hash intact would be the best option and just using a line of code to output the raw text to a file during login..just wish i knew .php/mysql i know there are lots of frowns about this subject but if you own the license/forum and are open about what youre trying to do then i dont think there should be issues worth raising in relation to such a mod/hack. |
#6
|
|||
|
|||
All you have to do is remove some javascript and catch the plaintext in the php code before it's hashed.
|
#7
|
|||
|
|||
hehe..you make it sound sooo easy Brad..
x |
#8
|
|||
|
|||
hey, i made it as simple BEFORE BRAD... lol
and actually, the only reason someone would make this possible is to enable the possibility to grab your "forgotten password" without reseting it... i've done that for a client one day... he lost his time as all the members that needed password extraction were using the reset process anyway.. lol |
#9
|
|||
|
|||
oh yeah sorry nexialys..
im still none the wiser as to the code/js needed..but im guessing providing someone knew the ftp user account details a form can be modded to provide a method of grabbing text pwds before they get hashed/compared.. so in essence regardless of how pwds are stored the only really important pwd is the admins ftp account..sheesh..!! |
#10
|
|||
|
|||
Quote:
The main problem with this is removing the bit of javascript in the navbar. You see it will hash the password on the client side before sending it off to the server (if the client has javascript on that is). This was done in the name of security...someone can't grab the plaintext version in-route to your server in other words. I'm not interested in coding such a thing just because it doesn't catch my fancy but I'm sure some one around here would be willing to do it for you if you really wanted it. You could always just hack out the hashing and store the passwords as plaintext in the database (you're doing it anyway in my above example ). But hey, wheres the fun in that? |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|