i just provided an online demonstration of an exploit in xtorrent module to it's author.
in the demonstration i obtained his admin uname, password hash & email address.
scarey? well not as scarey as the fact it took 2 seconds, yes 2 seconds to decrypt the md5 hash back to plaintext.
i then logged in using the decrypted plaintext pass.
i created a custom block from admin, with info of the demo.
http://www.unseen.org.au/i have not done anything serious to the site, and the owner does now accept that sql injection is a major cause for concern. & he is aware of my access.
really if it took 2 seconds to decrypt the hash to plaintext and login, then we really need to push the new password encryption branch into 1.1 ASAP. in fact it's a security necessity..
Attach file:
snapshot3.png (0.00 KB)
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1217&post_id=11278