| we need to integrate new password algorhythm ASAP |
Subject: we need to integrate new password algorhythm ASAP by Vaughan on 2008/3/11 16:16:41 i just provided an online demonstration of an exploit in xtorrent module to it's author. in the demonstration i obtained his admin uname, password hash & email address. scarey? well not as scarey as the fact it took 2 seconds, yes 2 seconds to decrypt the md5 hash back to plaintext. i then logged in using the decrypted plaintext pass. i created a custom block from admin, with info of the demo. http://www.unseen.org.au/ i have not done anything serious to the site, and the owner does now accept that sql injection is a major cause for concern. & he is aware of my access. really if it took 2 seconds to decrypt the hash to plaintext and login, then we really need to push the new password encryption branch into 1.1 ASAP. in fact it's a security necessity.. |
ImpressCMS is a multi-language content management system for the web. It is community-built, an open source project and based on the common web technologies of PHP and MySQL.
More information
