 |
|
|
UER Store
|
|
order your copy of Access All Areas today!
|
|
|
 Skaught
 
Location: Calgary
Gender: Male
 |  |  | Security Breach!
< on 12/9/2004 1:12 AM >
|  | | | If you change your password on UER, your old one is stored in plaintext in your cookies.
Are the passwords on the server stored that way as well? That would mean that when the UER server is hacked, the passwords would all be available to a hacker.
If you ever come to Calgary then email [email protected] and you'll be made welcome, taken to locations and given free accommodation. We'll help save you the $$$ you spend on the flight over here :) |
|
el nerdo
         
Chief UER Lackey
Gender: Male
What are you, from the Department of Know'm Sayin's? You takin' a Know'm census?
| | | Re: Security Breach!
<Reply # 1 on 12/9/2004 2:48 AM >
| | | | Posted by Rev. Skaught
If you change your password on UER, your old one is stored in plaintext in your cookies.
Are the passwords on the server stored that way as well? That would mean that when the UER server is hacked, the passwords would all be available to a hacker.
|
I would imagine it's just the way you submit a new password to the server. When you create a new password, you have to enter the old one... and that specific text entry box probably isn't a password box... or something like that.
Since the "old" password is no longer valid, there's no need to create a hash, hence the plaintext.
I'm sure Av can explain it. I highly doubt there's some kind of security risk.
[last edit 12/9/2004 2:49 AM by el nerdo - edited 1 times]
|
|
el nerdo
Chief UER Lackey
Gender: Male
What are you, from the Department of Know'm Sayin's? You takin' a Know'm census?
| | | Re: Security Breach!
<Reply # 2 on 12/9/2004 2:53 AM >
| | | | This is the Change Password form:
<FORM METHOD="post" ACTION="forum_changepass.asp">
<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5 WIDTH="100%"><TR>
<TD CLASS="bgcell2" COLSPAN=2>To change your forum password, you must first specify your current password, and then your new password. Once the password has been sucessfully changed, you will have to log in again.</TD></TR>
<TR><TD CLASS="bgcell1" COLSPAN=2 ALIGN="center"><BR></TD></TR>
<TR><TD CLASS="bgcell2">Please provide your current password:</TD>
<TD CLASS="bgcell2"><INPUT TYPE="password" NAME="oldpass"></TD></TR>
<TR><TD CLASS="bgcell1">Please provide your new password:</TD>
<TD CLASS="bgcell1"><INPUT TYPE="password" NAME="newpass1"></TD></TR>
<TR><TD CLASS="bgcell2">Type your new password again:</TD>
<TD CLASS="bgcell2"><INPUT TYPE="password" NAME="newpass2"></TD></TR>
<TR><TD CLASS="bgcell1" COLSPAN=2>
<INPUT TYPE="submit" VALUE="Change Password"></TD></TR></TABLE>
<INPUT TYPE=hidden NAME=action VALUE=change>
<INPUT TYPE=hidden NAME=fid VALUE="1">
</FORM>
I don't see anything there... but we wouldn't anyways... would need to see the forum_changepass.asp file to see if there was a problem.
[last edit 12/9/2004 2:53 AM by el nerdo - edited 1 times]
|
|
arcanehl
Gender: Male
| | Re: Security Breach!
<Reply # 3 on 12/9/2004 2:56 AM >
| | | | Your password is stored (plaintext) in the cookie named "avpass2." Likewise your username in "avuser2." And I believe the password is stored in a plaintext format on the database since you can retrieve it, though it could be encrypted.
|
|
Fubster
Location: Tampa Bay Area, Florida
Gender: Male
Though highly intelligent, guide dogs cannot interpret street signs.
| |  | | Re: Security Breach!
<Reply # 4 on 12/9/2004 3:16 AM >
| | | | Just because information is stored in plaintext on your computer, it doesn't mean it's the same way on the server. When you're looking at an encrypted HTML document over the internet, does it look like what you see when you try to watch Cinemax late at night and you haven't paid up?
Sometimes, you need to march right in and demand your rights, even if you don't know what your rights are, or who it is you're talking to. Then, on your way out, slam the door. |
|
Avatar-X
 
Alpha Husky
Location: West Coast
Gender: Male
yay!
| | | Re: Security Breach!
<Reply # 5 on 12/9/2004 5:00 AM >
| | | | The passwords are stored in whatever way I prefer to store them. It doesn't really matter. If the server is hacked, there's much more at risk than people's passwords.
Fortunately, I keep my server up to date to minimize the risk of a hack attack.
huskies - such fluff. |
|
Servo
| | Re: Security Breach!
<Reply # 6 on 12/9/2004 5:03 AM >
| | | | Seems the best thing to do is not re-use passwords. Then you have nothing to fear. As Av says, if the server gets hacked, then there's worse things to worry about than them knowing your password -- and if you only used it in one place, here, then you don't have to worry about them getting into your email or something.
|
|
HauntedPA
Location: Anywhere and Everywhere
Gender: Female
What do you mean the rum is gone?!
| | Re: Security Breach!
<Reply # 7 on 12/9/2004 4:47 PM >
| | | | Also there's really nothing to be gained by having a password. Save for the location database of course. I mean one can browse and read all the topics they wish, but can't post. I'd say that's the real problem here.
|
|
MacGyver
Location: St Paul, Minnesota
Gender: Male
"Someone go find me a paperclip, a D-cell battery, and a cheese grater"
| | Re: Security Breach!
<Reply # 8 on 12/9/2004 8:25 PM >
| | | | Posted by Rev. Skaught
...when the UER server is hacked, the passwords would all be available to a hacker. |
Is that a threat? Your wording has a certain malicious undertone that I am not particularly fond of.
Posted by HauntedPA
Also there's really nothing to be gained by having a password. Save for the location database of course. I mean one can browse and read all the topics they wish, but can't post. I'd say that's the real problem here.
|
Not exactly. People have private boards that they don't want random people to be able to access.
Also, bear in mind that this is a web forum, not your bank or insurance company. For a free service, I think the level of security and quality overall is just fine.
[last edit 12/9/2004 8:27 PM by MacGyver - edited 1 times]
Like a fiend with his dope / a drunkard his wine / a man will have lust for the lure of the mine
"If you are not part of the solution, you are not dissolved in the solvent." |
|
Fubster
Location: Tampa Bay Area, Florida
Gender: Male
Though highly intelligent, guide dogs cannot interpret street signs.
| | | | Re: Security Breach!
<Reply # 9 on 12/9/2004 8:31 PM >
| | | | I doubt that anyone who overtly asks about the way that passwords are stored has the ability to hack their way into a wet cardboard box with a machete, I wouldn't worry.
Sometimes, you need to march right in and demand your rights, even if you don't know what your rights are, or who it is you're talking to. Then, on your way out, slam the door. |
|
IIVQ
Location: La Sud-Est du cité majeur du North-Holland (Bijlmer), .NL
Gender: Male
Back in Urbex!
| |  |  | | Re: Security Breach!
<Reply # 10 on 12/9/2004 9:39 PM >
| | | | Posted by Rev. Skaught
If you change your password on UER, your old one is stored in plaintext in your cookies.
Are the passwords on the server stored that way as well? That would mean that when the UER server is hacked, the passwords would all be available to a hacker.
|
It's a cracker, not a hacker.
Look up the difference!
Tijmen
P.S. hacking your way into a wet cardboard box is mor difficult than you'd think as I tried with an old dishwasher box.
Posted by MapMan | 18/9/2005 19:25 | Hedy Lamarr made porn?
Posted by turbozutek | 20/9/2005 2:29 | Dude, educate us! |
|
Skaught
Location: Calgary
Gender: Male
| | | Re: Security Breach!
<Reply # 11 on 12/10/2004 1:04 PM >
| | | | Point taken, I am a hacker, no cracker.
But then I am a hacker and I found it.
I was just always taught, keep passwords hashed at every point in the chain.
Seems to me that there would be plenty of incriminating evidence about people doin' stuff in the private forums. All it would take is one other person in that forum to log in from a public terminal or from work and all the private info about the other users would be compromised.
(A good argument against using public terminals and work computers as well)
People often forget, passwords do not just protect your info, they are protecting the people who trust you.
Overall, ya this is not banking, but hashing passwords takes like 3 lines of code. Not foolproof but for the amount of work required it offers noticable improvement.
If you ever come to Calgary then email [email protected] and you'll be made welcome, taken to locations and given free accommodation. We'll help save you the $$$ you spend on the flight over here :) |
|
Avatar-X
Alpha Husky
Location: West Coast
Gender: Male
yay!
| | | Re: Security Breach!
<Reply # 12 on 12/10/2004 1:06 PM >
| | | | The password still has to be transmitted in plain text when the person logs in. Anyone with access to the server could easily modify the code to spit out the passwords in the login script, and hashing wouldn't make a difference.
-av
huskies - such fluff. |
|
Skaught
Location: Calgary
Gender: Male
| | | Re: Security Breach!
<Reply # 13 on 12/10/2004 1:13 PM >
| | | | True enough.
Allthough I thought it was possible to generate a cookie that does not actually contain the password in clear text.
(I am not a programmer, my training is in designing the physical structure of the Internet, not the 1's and 0's on it.)
[last edit 12/10/2004 1:16 PM by Skaught - edited 1 times]
If you ever come to Calgary then email [email protected] and you'll be made welcome, taken to locations and given free accommodation. We'll help save you the $$$ you spend on the flight over here :) |
|
Avatar-X
Alpha Husky
Location: West Coast
Gender: Male
yay!
| | | Re: Security Breach!
<Reply # 14 on 12/10/2004 2:30 PM >
| | | | Posted by Rev. Skaught
I am not a programmer, my training is in designing the physical structure of the Internet, not the 1's and 0's on it.
|
Then how about you leave the programming to the programmers.
-av
huskies - such fluff. |
|
-MisfitStyle-
| | Re: Security Breach!
<Reply # 15 on 12/10/2004 5:45 PM >
| | | | As a programmer, I have to say "Fucking eh".
"I feel like I just got in a battle of wits with some kid in a helmet I found licking a window."
Need help? Please use the Contact a Mod forum — I'm slow to see PMs. |
|
Anymouse
Location: Calgary, AB
Gender: Male
| | |  | | | Re: Security Breach!
<Reply # 16 on 12/11/2004 1:45 AM >
| | | | It should be entirely possible to store a session token instead of the password in the cookie. The password is still sent cleartext, but it is a lot harder to sniff a password on a medium (ie. gaining physical access to that medium, without resorting to james-bond/jester tactics) than it is to simply check someone's cookies. Then the password is checked against a hashed version on the server.
That's how I have it set up on the UEA site. I just have a table of session IDs, and a flag that sets which are cookied (ie. the session does not expire within half an hour of inactivity, like a normal one would). I though ASP did transparent sessions, in which case it would be super simple.
In PHP, I had the option of using transparent sessions (it automatically adds a session ID to the each link, so it is propagated through the GET requests) - but I would have had to recompile PHP with some configure option, and I'm not allowed to touch that stuff - so I wrote it myself, and have to remember to manually add the session ID to each link.
That's the opinion of a programmer on the issue.
[last edit 12/11/2004 1:47 AM by Anymouse - edited 1 times]
|
|
INeedAttention.com
Noble Donor
Location: New York, NY
Gender: Male
Senior troll analyst
| | | | Re: Security Breach!
<Reply # 17 on 12/16/2004 9:33 PM >
| | | | Plaintext or not, I trust that if UER would ever be hacked, that still no one could crack my password because its so good -- it's not just good, it's 'shadowfax'. No one would EVER guess 'shadowfax'!
Oh no! My hubris has undone me again!
/apologizes for slight off-topic humor
Colours, LINKS, images, etc are not allowed, text and LINKS only. Emphasis mine. |
|
|
|
All content and images copyright © 2002-2024 UER.CA and respective creators. Graphical Design by Crossfire.
To contact webmaster, or click to email with problems or other questions about this site:
UER CONTACT
View Terms of Service |
View Privacy Policy |
Server colocation provided by Beanfield
This page was generated for you in 140 milliseconds. Since June 23, 2002, a total of 739384815 pages have been generated.
|
|
