we need to integrate new password algorhythm ASAP

Posted by Vaughan on 1205281001
i just provided an online demonstration of an exploit in xtorrent module to it's author.

in the demonstration i obtained his admin uname, password hash & email address.

scarey? well not as scarey as the fact it took 2 seconds, yes 2 seconds to decrypt the md5 hash back to plaintext.

i then logged in using the decrypted plaintext pass.

i created a custom block from admin, with info of the demo.

http://www.unseen.org.au/

i have not done anything serious to the site, and the owner does now accept that sql injection is a major cause for concern. & he is aware of my access.

really if it took 2 seconds to decrypt the hash to plaintext and login, then we really need to push the new password encryption branch into 1.1 ASAP. in fact it's a security necessity..

Attach file:



png  snapshot3.png (0.00 KB)

This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1217&post_id=11278