Ubuntu Forums hacked. Should we be concerned?

kpa said:
Is it possible to change the hash algorithm in vBulletin to at least SHA256 without too much hassle?
Click to expand...

Yes and no. vBulletin generates a salted MD5 with a JavaScript function on the client side and then transmits the hash directly while doing a login. So one needs to disable this JavaScript and modifies the board to switch to SHA256 or something else. Partly this salt'ing + hashing is done server side if the user disabled JavaScript in the browser (and the password is sent in plain over the line).
 
rghq said:
Yes and no. vBulletin generates a salted MD5 with a JavaScript function on the client side and then transmits the hash directly while doing a login. So one needs to disable this JavaScript and modifies the board to switch to SHA256 or something else. Partly this salt'ing + hashing is done server side if the user disabled JavaScript in the browser (and the password is sent in plain over the line).
Click to expand...

This sounds very weird to me. If what you're saying is right, then anyone who got their hands on the user database could log in as anyone by sending the username + known hash (you say that's what the JavaScript does). This is almost as bad as storing stuff in plain-text.
 
Savagedlight said:
This sounds very weird to me. If what you're saying is right, then anyone who got their hands on the user database could log in as anyone by sending the username + known hash (you say that's what the JavaScript does). This is almost as bad as storing stuff in plain-text.
Click to expand...

That's why database breaches are bad.

What the JavaScript is doing is basically:
Code: 
MD5 ("password")                                  = 5f4dcc3b5aa765d61d8327deb882cf99
MD5 ("5f4dcc3b5aa765d61d8327deb882cf99salt")      = d514dee5e76bbb718084294c835f312c

If the salt were different:
MD5 ("5f4dcc3b5aa765d61d8327deb882cf99othersalt") = 5780cfec07208298ea40a1335841e3c1

Without the salt, if somebody got your password from one site, it would be as good as plaintext everywhere that used the same hashing technique. With the salt, it's only that good at places that happened to use the same technique, and the same salt.
 
I figure not a whole lot on the net is safe anyway. I'm not going to worry about the forum though because I'm pretty boring and don't have anything to lose on here. Like suggested though, you might want to check out a secure password.
 
I don't want to sound paranoid, but I just see this announcement related to a potential vBulletin exploit (affects only 4.1+ and 5+), however, about lower versions it says:
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X - /install/
5.X - /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.
Click to expand...

I guess that here we already have taken the necessary steps :)
 
Basic security for most installs: remove permissions on the install directory after you've done installing / upgrading. If you later need it for any reason, restore permissions. I thought this was in Security 101...
 
tingo said:
Basic security for most installs: remove permissions on the install directory after you've done installing / upgrading. If you later need it for any reason, restore permissions. I thought this was in Security 101...
Click to expand...

It even tells you this when you finish the install.
 
You must log in or register to reply here.
Back
Top