| Author |
Message |
hireamerica
Client
Joined: Sep 30, 2004
Posts: 103
Location: New Jersey
|
 Posted:
Mon Feb 27, 2006 10:25 am |
|
Just noticed that the password is listed in plaintext, as well as MD5 and showing the Crypt Salt.
So incidentally, any hack able to select that information gets your admin and might be able to get other accounts (like email) if you double-use your password there.
The recent UNION exploits might be pulling that, FYI.
Anything we can do to shut down the plain text "password" column?
Incidentally, I changed my Admin password but it didn't change what is in this table (yet).
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
  
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Feb 27, 2006 10:45 am |
|
Try doing a Scan For New Admins and see if it picks up your new password. |
| |
|
|
|
|
hireamerica
|
| Posted:
Mon Feb 27, 2006 10:55 am |
|
It did not. Said the scan completed and then the Admin Auth list still shows the old.
Worrying that many of us have tried that CGI Auth and then maybe still use or just don't use anymore. The plaintext appearance of the password there worries me because of the UNION attacks.
If that password is still the password to the Admin....whoops! |
| |
|
|
|
|
Raven
|
| Posted:
Mon Feb 27, 2006 11:04 am |
|
If you have changed from CGI to HTTPAuth, be sure to remove the path to .staccess in your Admin Panel. |
| |
|
|
|
|
hireamerica
|
| Posted:
Mon Feb 27, 2006 11:11 am |
|
It's off for me...issue is that at HTTPAuth it's not recognizing my Admin password and .htaccess is set right. So I use neither Auth. But the Turkish hacker, if he got my password from clear text in the table got my email which had the same password. Doesn't now.... |
| |
|
|
|
|
Raven
|
| Posted:
Mon Feb 27, 2006 11:15 am |
|
Select HTTPAuth and delete the path to .staccess
Make sure that you are using the .htaccess that comes with a fresh install, ie, all the references to CGIAuth are commented out.
Use phpMyAdmin and delete all passwords in the nsnst_admin table. Then, just add the md5() pass. |
| |
|
|
|
|
hireamerica
|
| Posted:
Mon Feb 27, 2006 11:24 am |
|
If you do that then HTTPAuth doesn't work again. I just get the normal Admin login even after clearing cache, cookies, etc.
NukeSentinal says in preferences: You MUST set ALL admin passwords before activating HTTPAuth or CGIAuth!
If I wipe the cleartext passwords in nuke_nsnst_admins, it knows it's blank and shows that msg instead of "Off, CGIAuth, HTTPAuth". |
| |
|
|
|
|
Raven
|
| Posted:
Mon Feb 27, 2006 11:30 am |
|
Make sure that you are using the .htaccess that comes with a fresh install, ie, all the references to CGIAuth are commented out.
Delete the path to .staccess.
Use phpMyAdmin and delete the NukeSentinel admin record.
Run Scan for new admins.
Set the new password.
Select HTTPAuth.
Save. |
| |
|
|
|
|
hireamerica
|
| Posted:
Mon Feb 27, 2006 11:49 am |
|
I'm doing all that...the issue is this:
When it's all working fine the vulnerability is still there: a UNION attack can do a simple select password from nuke_nsnst_authors and get it in plain text.
I'm not saying the HTTPAuth doesn't work (it does), I'm just concerned about that in light of the attack I had on my site.
I'm also just incidentally bringing up the fact that if you wipe out the clear text password column entry, then the HTTPAuth doesn't work. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
