| Bug : | Dichotomic Bruteforce Vulnerability |
| Status : | Fixed |
| Severity : | Very serious |
| Reporter : | Trustmaster  30-09-2009 11:44 |
| Updated by : | Olivier C. 05-10-2009 19:51 |
| Category | Users |
| Version : | 125 RC4 |
| Frequency : | Consistently |
| Fixed in : | 125 |
| Details : | Exploit is available here: http://cr0w-at.blogspot.com/2009/05/seditio-v121-user-password-dichotomic.html It is based on users list order analysis (when sorting by password) + brute force. Can get administrator's password hash and then use it to find a collision or fake a cookie and log in. To fix this, in system/core/users/users.inc.php replace if (empty($s)) { $s = 'name'; } with if (empty($s) || strtolower($s) == 'password') { $s = 'name'; } |
| Items affected : | system/core/users/users.inc.php |
History and comments :
| 05-10-2009 19:52 Olivier C. PM sent to the reporter : |
| 05-10-2009 19:52 Olivier C. Nice one, tho it may require an assload of time depending of the server |
