Announcement

Collapse
No announcement yet.

URGENT: Can a hacker get users passwords using this link

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • URGENT: Can a hacker get users passwords using this link

    Hi,

    A hacker is gettings users passwords and he claims that he using this link:
    http://domain.com./vb/mod/index.php?s=&loc=user.php

    I'm running vB2.3.0

  • #2
    I dont think thats possible as the modcp requires login, however try updating to 2.3.5.

    Comment


    • #3
      Thanks I'll upgrade right a way, but I just want to verify his claim.

      Comment


      • #4
        Logout, and try it.


        vBulletin 2.3.0 still hashes its passwords in md5 form so unless he can unhash the password he couldnt obtain it

        Comment


        • #5
          Originally posted by Zachery
          Logout, and try it.


          vBulletin 2.3.0 still hashes its passwords in md5 form so unless he can unhash the password he couldnt obtain it

          The third user just hacked while a go!!!

          What's going on?

          Comment


          • #6
            did you logout and try that link?

            Comment


            • #7
              I just noticed this entry in the who's online:

              Guest Retrieving Password 01:59 AM 172.128.182.243

              what does it mean?

              Comment


              • #8
                Means a user is using the email form to retrive their email.

                Now did you try what i asked?

                Comment


                • #9
                  Yes I did and it asks for the mod directory password first. Is there any way someone can workaround this?

                  Comment


                  • #10
                    Nope, unless the end user has a moderators password there would be no way to get into the ModCP, i suggest you turn off your site via the AdminCP and upgrade.

                    Comment


                    • #11
                      Originally posted by Zachery
                      I dont think thats possible as the modcp requires login, however try updating to 2.3.5.
                      Even so, With AdminCP or ModCP access, you do not see the passwords, they are hashed with md5 in the database.

                      Comment


                      • #12
                        By using .htaccess on both of your modCP and adminCP would give you aditional peace of mind, while you upgrade
                        @[email protected]

                        Comment


                        • #13
                          I did the upgrade to 2.3.5 and it went smoothly, I had to reinstall couple of hacks though.

                          Regarding /mod & /admin, they are protected by .htaccess since day 1

                          Comment


                          • #14
                            But I believe it is only hashed once and without a salt. That means it is totally unhashable-- either by brute force computations (a few days at most) or by luck with a good dictionary routine.

                            Comment


                            • #15
                              An MD5 is a one way hash only and isn NOT reversable if a user does obtain it. Doesn't matter how much processing power, time or dictionary based scripts they run against it, just can't be done.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X