Huge mybb security compromise
#11
i also had the same problem Smile but, it's fine now.
We're supposed to be working as a team, if we aren't helping and suggesting things to each other, we aren't working as a team.
- Refraction
Reply

Sponsored links

#12
(11-17-2014, 02:45 PM)xemnas99 Wrote: Aren't the passwords hashed/encrypted?
If you know just 1, you can crack the rest by reversing the code. I won't give the method away, bt I'll just say the call to mysql CAN be reversed
Reply
#13
(11-17-2014, 02:48 PM)Bositman Wrote: Sure but if someone gets a hold of the DB he has all the time in the world to decrypt them.

Isn't one idea of hashes that you can not decrypt them easily?
What about salting? I guess mybb salts all of its hashing algorithms with something different for each site. Maybe some salt that can not easily be obtained from a script...
Reply
#14
Not easily no. It requires lots of processing power and then lots of time, so some remote attacker can't decrypt on the fly. But as I said when someone gets a hold of a DB it's pretty much over.

The security hole was that the attackers were getting database backups of the forums, after using a script to make mybb create them.
[Image: newsig.jpg]
Reply




Users browsing this thread: 1 Guest(s)