@Dan
IF the hacker's only concern is gaining Administrative access, then yes,
that would be the simplest route. However, things are not always that
cut and dry. For example, during my tenure as Systems Admin for XOOPS, I
dealt with hackers targeting specific users. The hacker(s) would obtain
the MD5 hash of the user, crack it, then log in as that user and send
private messages and post as that user on the forum in an attempt to
create fear. Things are not always cut and dry. There are times when a
hacker may not want to just gain admin access.
@Bull3t,
chmod 444
Read by owner
Read by group
Read by everyone.
If I have command line access to the server and IF the server is not
configured properly (more common than you may think), then I can cat
/path/to/wp-config.php and get the contents of that file from the
command line. That is just one method. If the application has any
vulnerabilities, or is configured improperly by the application's admin
(very common), then there are several other methods a hacker could use
to expose the contents of a file.... shell_exec(); anyone?
Again, things are not always what they seem. You have to look beyond the
surface value and look at all possible scenarios. Hackers don't follow
rules and their reasoning behind their actions does not fit into tidy
little boxes. You have to think outside the box in order to stay ahead
of them.
Just my humble opinion based on my experience. Please take it as such.
Bull3t wrote:
How would someone be able to access wp-config.php? When it is opened in the
users browser it would be run as PHP...
--------------------------------------------
Bull3t
http://www.bull3t.me.uk/
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:wp-testers-
[EMAIL PROTECTED] On Behalf Of PkbCS Contact
Sent: 21 November 2007 16:34
To: [email protected]
Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
Obtaining the MD5 hash is not that difficult. A lot of shared hosts do
not protect the web roots of their users properly which makes it a
trivial task to obtain the contents of wp-config.php and connect to the
user's database and obtain the hash. Simply using word that are not a
part of any language will keep you safe against weaker cracking
attempts; however, a determined hacker can, and will make use of rainbow
tables which have hashes not only for dictionary words, but also huge
collections of random alphanumeric and special character strings.
So, IF the host is setup properly, IF the application is not vulnerable
to queries that can return the admin password hash and IF the hacker is
not determined enough to use a rainbow table to crack the hash, then
yes, it's nothing to worry about.
From what I understand, it's a relatively trivial matter to add a
"salt" function that would further protect the MD5 hash. I believe this
would be the best solution because the upgrade script could prompt the
user for a salt string and the hashes could be converted as part of the
upgrade process. Another option is generating the salt string
automatically and outputting it for the user to save in a safe place.
Bull3t wrote:
You need to know the MD5 hash of the password in the first place and
even
then it is just luck of the draw, it really isn't that worrying. Just
use a
password that isn't part of a language?
--------------------------------------------
Bull3t
http://www.bull3t.me.uk/
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:wp-testers-
[EMAIL PROTECTED] On Behalf Of Pål GD
Sent: 21 November 2007 13:45
To: [email protected]
Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
Cornell Finch wrote:
I know this probably isn't the right place to put this but I don't
know where else to submit it:
http://www.theregister.co.uk/2007/11/21/google_md5_crack/
Is this something we should be worried about?
Collin
Yes, indeed. Wordpress should have been doing salting[1], which I don't
think they do.
[1] http://en.wikipedia.org/wiki/Salting_(cryptography)
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
10:01
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
10:01
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
--
Best regards,
James Morris
PkbCS, LLC
[EMAIL PROTECTED]
http://pkbcs.com/
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
10:01
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007
10:01
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
--
Best regards,
James Morris
PkbCS, LLC
[EMAIL PROTECTED]
http://pkbcs.com/
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
