The Arcive of Official vBulletin Modifications Site.

RDX1 · #1 01-13-2004, 07:02 PM

Would anyone be interested in writing a hack for finding duplicate users?

There was a hack written for this by checking the ip's and the passwords, and if two users matched it would so it.

Zachery · #2 01-13-2004, 08:38 PM

Quote:

Originally Posted by NerdNations

Would anyone be interested in writing a hack for finding duplicate users?

There was a hack written for this by checking the ip's and the passwords, and if two users matched it would so it.

it wouldnt be a hack so much as a serrious securty issue >.< removing the md5+salts would be the only way to check idential passwords i belive

okrogius · #3 01-13-2004, 09:21 PM

Hashing can remain with the same password checking, but unique user salts would indeed have to go.

Zachery · #4 01-13-2004, 09:33 PM

Quote:

Originally Posted by okrogius

Hashing can remain with the same password checking, but salts would indeed have to go.

whichs brings up security issues.

now anyone who got the md5 from one site could use it on another vB with the same modifcation made

thus creating an insecure system...

okrogius · #5 01-13-2004, 10:24 PM

Quote:

Originally Posted by Faranth

whichs brings up security issues.

now anyone who got the md5 from one site could use it on another vB with the same modifcation made

thus creating an insecure system...

There are no security issues created just by storing passwords even in plain text provided the server(s) is(/are) secured well, and the people who have access to the database are responsible. Granted that will probably not be the ideal aproach in most scenarios, by no way is it just insecure for that.

Whether or not these two (see first sentence) can be aplied to a typical vb user, noting especially how many vbulletins run on shared hosting, that is a whole different story. Do you want to remove an extra safety net in case your well versed technical co-admin places a db backup somewhere without any security (another random example why hashes are there, but note that it does not make not hasing any less secure, it's just significantly harder to "screw up" if the passwords are hashed)?

RDX1 · #6 01-13-2004, 10:44 PM

I'm not asking to see the actual passwords, just the md5 hashes, so if the user has the same ip, and the same password i can assume it is a double user.

There was a hack made before for vb2, all i'm asking is for a vb3 version.

RDX1 · #7 01-13-2004, 10:49 PM

<a href="https://vborg.vbsupport.ru/showthread.php?t=36269" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=36269</a>

NTLDR · #8 01-13-2004, 10:51 PM

We know that

However the probability of two users with the same password actually having the same password hash (due to the salt) system is rather slim. This is where the difficulty lies.

RDX1 · #9 01-14-2004, 12:37 AM

What's Salt?

And if it can't be done, then just the same ip would be fine.

Zachery · #10 01-14-2004, 03:03 PM

Quote:

Originally Posted by NerdNations

What's Salt?

And if it can't be done, then just the same ip would be fine.

the salt is what is generated to dlb encrypt the users password

md5+salt+password and each salt is random

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04149 seconds Memory Usage 2,239KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!