Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-12-2004, 10:14 AM
OzRoy OzRoy is offline
 
Join Date: Nov 2002
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Redundant md5 of an md5 of an md5

Hi guys.

We just recently upgraded our forums to VB3. It's only after doing this we realised that VB3 stores the password in the DB as an md5 of an md5 + random string. Not only that but the cookie that is sent to the user is another md5 of the DB's md5 + random string. So the final user cookie is an md5 of an md5 of an md5!

Can this please be changed. I do not believe this to be any more secure than other solutions and all it has achieved is major headaches.

We use our forums as the central part of our network. Included in this is FTP to certain client websites. To do that we use pure-ftpd. Pure has the ability to read usernames and passwords from a DB, and it quite happily works with plain md5 hashes, but obviously will not work with the VB3 system. It has irreversibly broken our system. Our only option now is to hack the VB code, and restore our user table from a DB backup meaning we lose new registrations from the last week.

I can't think of any reason for this massive overkill. An md5 is irreversible. So it should be virtually impossible to determine the users password from just a single md5 hashed password stored in the database. Granted a hacker could do a brute force attack on that value, but the only people who should have access to that are the site admins, AND even in it's current state, being a site admin, I know all the random string values and can STILL do a brute force attack on the value to get the original password.

So that leaves the user cookie. All that needs to be done is to create an md5 of the md5+random string. This at least makes it slightly more secure. But any hacker who is able to sniff the cookie value already has everything that they need. They no longer need to know what the real password is. The cookie value will give them access. If you really want to make this harder and a bit more secure then the cookie value should be an md5 of the md5 + random string + IP Address. Then the hacker will have to spoof their own ip address as well. And honestly who could be bothered doing that just to get access to a forum?

Maybe I'm missing something here, and if so please inform me. If not however, then please fix this, or at least make it an option! I do not want to have to have to fix this every time I upgrade the forum.
Reply With Quote
  #2  
Old 03-12-2004, 11:18 AM
OzRoy OzRoy is offline
 
Join Date: Nov 2002
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ignore this. I posted this on the official vb forum
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:45 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05287 seconds
  • Memory Usage 2,165KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (2)post_thanks_box
  • (2)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit_info
  • (2)postbit
  • (2)postbit_onlinestatus
  • (2)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete