Re: phpBB Security Bugs

From: Konrad Rieck (kr@roqe.org)
Date: 02/21/03

  • Next message: Frog Man: "Myguestbook (PHP)"
    From: Konrad Rieck <kr@roqe.org>
    To: Lucas Armstrong <lucas@cgishield.com>
    Date: 21 Feb 2003 11:19:52 +0100
    

    Hi Lucas & List,

    On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
    > If a correct password hash digit is guessed, the admin's name will show up
    > as an online user, in the online user list at the bottom of the forum
    > page. After the password hash is determined, it is then placed in the
    > cookie and access is granted to the site.

    I am just wondering... You are talking about guessing a 33-digit
    hexadecimal number?

    Even if there are 1.000 admin passwords in the hash-space and you
    succeed finding one after only searching 10% of space and you are
    checking about 1.000.000 hashs per second. You won't finish until the
    sun goes nova (which is rather impractical, especially for CPU-
    cooling).

    I believe this is a theoretical attack against phpBB 2.0, but maybe I
    missed some magic in the way phpBB generates these password hashs,
    acutally I haven't looked at the code.

    Regards,
    Konrad

    -- 
    Konrad Rieck <kr@roqe.org> --------------------------------------------+
    Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
    Fingerprint: 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3 -------+