kpa said:Is it possible to change the hash algorithm in vBulletin to at least SHA256 without too much hassle?
rghq said:Yes and no. vBulletin generates a salted MD5 with a JavaScript function on the client side and then transmits the hash directly while doing a login. So one needs to disable this JavaScript and modifies the board to switch to SHA256 or something else. Partly this salt'ing + hashing is done server side if the user disabled JavaScript in the browser (and the password is sent in plain over the line).
Savagedlight said:This sounds very weird to me. If what you're saying is right, then anyone who got their hands on the user database could log in as anyone by sending the username + known hash (you say that's what the JavaScript does). This is almost as bad as storing stuff in plain-text.
MD5 ("password") = 5f4dcc3b5aa765d61d8327deb882cf99
MD5 ("5f4dcc3b5aa765d61d8327deb882cf99salt") = d514dee5e76bbb718084294c835f312c
If the salt were different:
MD5 ("5f4dcc3b5aa765d61d8327deb882cf99othersalt") = 5780cfec07208298ea40a1335841e3c1
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:
4.X - /install/
5.X - /core/install
After deleting these directories your sites can not be affected by the issues that we’re currently investigating.
vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.
Yes, but apparently not everybody has attended that classtingo said:I thought this was in Security 101...
tingo said:Basic security for most installs: remove permissions on the install directory after you've done installing / upgrading. If you later need it for any reason, restore permissions. I thought this was in Security 101...
zspider said:It even tells you this when you finish the install.