Hi Lucas & List, On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote: > If a correct password hash digit is guessed, the admin's name will show up > as an online user, in the online user list at the bottom of the forum > page. After the password hash is determined, it is then placed in the > cookie and access is granted to the site. I am just wondering... You are talking about guessing a 33-digit hexadecimal number? Even if there are 1.000 admin passwords in the hash-space and you succeed finding one after only searching 10% of space and you are checking about 1.000.000 hashs per second. You won't finish until the sun goes nova (which is rather impractical, especially for CPU- cooling). I believe this is a theoretical attack against phpBB 2.0, but maybe I missed some magic in the way phpBB generates these password hashs, acutally I haven't looked at the code. Regards, Konrad -- Konrad Rieck <kr@roqe.org> --------------------------------------------+ Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub | Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
Attachment:
signature.asc
Description: This is a digitally signed message part