[wp-testers] Wordpress Google MD5 hash crack
Bull3t
bull3t at ntlworld.com
Wed Nov 21 16:52:36 GMT 2007
How would someone be able to access wp-config.php? When it is opened in the
users browser it would be run as PHP...
--------------------------------------------
Bull3t
http://www.bull3t.me.uk/
> -----Original Message-----
> From: wp-testers-bounces at lists.automattic.com [mailto:wp-testers-
> bounces at lists.automattic.com] On Behalf Of PkbCS Contact
> Sent: 21 November 2007 16:34
> To: wp-testers at lists.automattic.com
> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
>
> Obtaining the MD5 hash is not that difficult. A lot of shared hosts do
> not protect the web roots of their users properly which makes it a
> trivial task to obtain the contents of wp-config.php and connect to the
> user's database and obtain the hash. Simply using word that are not a
> part of any language will keep you safe against weaker cracking
> attempts; however, a determined hacker can, and will make use of rainbow
> tables which have hashes not only for dictionary words, but also huge
> collections of random alphanumeric and special character strings.
>
> So, IF the host is setup properly, IF the application is not vulnerable
> to queries that can return the admin password hash and IF the hacker is
> not determined enough to use a rainbow table to crack the hash, then
> yes, it's nothing to worry about.
>
> From what I understand, it's a relatively trivial matter to add a
> "salt" function that would further protect the MD5 hash. I believe this
> would be the best solution because the upgrade script could prompt the
> user for a salt string and the hashes could be converted as part of the
> upgrade process. Another option is generating the salt string
> automatically and outputting it for the user to save in a safe place.
>
> Bull3t wrote:
> > You need to know the MD5 hash of the password in the first place and
even
> > then it is just luck of the draw, it really isn't that worrying. Just
use a
> > password that isn't part of a language?
> >
> >
> > --------------------------------------------
> > Bull3t
> > http://www.bull3t.me.uk/
> >
> >
> >> -----Original Message-----
> >> From: wp-testers-bounces at lists.automattic.com [mailto:wp-testers-
> >> bounces at lists.automattic.com] On Behalf Of Pål GD
> >> Sent: 21 November 2007 13:45
> >> To: wp-testers at lists.automattic.com
> >> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
> >>
> >> Cornell Finch wrote:
> >>
> >>> I know this probably isn't the right place to put this but I don't
> >>> know where else to submit it:
> >>>
> >>> http://www.theregister.co.uk/2007/11/21/google_md5_crack/
> >>>
> >>> Is this something we should be worried about?
> >>>
> >>> Collin
> >>>
> >> Yes, indeed. Wordpress should have been doing salting[1], which I don't
> >> think they do.
> >>
> >> [1] http://en.wikipedia.org/wiki/Salting_(cryptography)
> >> _______________________________________________
> >> wp-testers mailing list
> >> wp-testers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-testers
> >>
> >> No virus found in this incoming message.
> >> Checked by AVG Free Edition.
> >> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
> >>
> > 21/11/2007
> >
> >> 10:01
> >>
> >>
> >
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
> > 10:01
> >
> >
> > _______________________________________________
> > wp-testers mailing list
> > wp-testers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-testers
> >
> >
>
> --
> Best regards,
>
> James Morris
> PkbCS, LLC
> contact at pkbcs.com
> http://pkbcs.com/
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
> 10:01
>
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007
10:01
More information about the wp-testers
mailing list