Announcement

Collapse
No announcement yet.

3.8.6 admin password

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • lim (x³-7x²) = ∞
    replied
    with read only access to db - it is possible to dump hashes and bruteforce passwords (157 million p/s using average GTS250)

    I have reported this problem last year https://forum.vbulletin.com/node/318894

    Leave a comment:


  • Floris
    replied
    vBulletin passwords for users who register, have always been hashed with md5, and a unique salt. Yes.

    Leave a comment:


  • WowThatsDumb
    replied
    Originally posted by Floris View Post
    ... passwords are hashed ...
    So the passwords are properly hashed then?

    Leave a comment:


  • Floris
    replied
    If the database accepts remote links, you can do "everything", .. so yes, you can also get the user details, though passwords are hashed, however .. you could easily change the passwords of any user, or any other details .. hence the severity of the matter.

    Leave a comment:


  • Mr. Mikey
    replied
    The exploit doesn't directly give access to the admin password, however through using the database credentials you can dump the database to a local server, upload it, look in phpmyadmin and decrypt the password. There are easier ways, but it's douchey to explain how to hack someones forums.

    Leave a comment:


  • Floris
    replied
    Yes, the exploit in 3.8.6 discloses the full database details. One can imagine what they could do with that. You can patch to 3.8.6 pl1

    Leave a comment:


  • WowThatsDumb
    started a topic 3.8.6 admin password

    3.8.6 admin password

    The news is reporting that the flaw in version 3.8.6 allows one to "obtain the administrator's username and password." Is this true?

Related Topics

Collapse

Working...
X