I cants get my password

Boston2

having huge problems getting my password,
i had to reset it, then i got the email, clicked the link and was told i had not entred a valid address. could someone send my password to logitech@ntlworld.ie, its «Bo§ton» BTW

Boston

sorry, this is getting impossible, i cant use the board like this, i have to use a back door entrance(btw the board need better security) to even post this, but i have to re do it every five minutes or so.

i figured it would be a simple matter of an admin to find my password and emial it to me

Lenny

What do you mean by "backdoor entrance" ?

Did you check your cookies or something?

Boston

long story, i found away to entre the site and post without actually having the password.
its nothing to do with cookies

Boston

bloody hell, there it goes again, this is annoying, i wont be posting untill its sorted out.

Lenny

So is it possible to post something under anyone's name?

Try mine

Baz_

smart man however he did it

ecksor

Hey Boston, care to drop me a mail or personal message about the problem(s)?

Thanks.

Lenny

Ger outa that ecksor,
I asked first

Boston

sorry, not can do, i finaly got my pass sorted out, thanks to cloud, and not im back in bussiness, i dont think spreading around how i was able to psot on the boards would be a good idea either

Dustaz

Somehow i think you can trust ecksor

ecksor

If you don't want to tell me, then tell Regi, Cloud or DeVore please.

amp

Boston. ecksor is boards.ie's security bloke and an Admin (hence the custom tag)

Boston

i already sent you an email, or at least someone claiming to be you ecksor.

ecksor

Yes, so you did. Apologies for that, some of my mail got mislaid.

Thanks for the info, I'll look into it.

Lenny

How big of a security issue was it ecksor?

Boston

Minor, as you want to be a leet code breaker or something messed up like that to break the security code. like, you couldnt just pick a name and get access to the account. I allready had the code for what i wanted to do, but i wouldnt have yours or anybody elses

One thing i would advise, dont register for the boards with a hotmail account or yahoo or what ever.

ecksor

Boston sent me a nicely detailed account of the problem and how to reproduce it. I'll do a decent analysis of it later (I'm seriously busy lately with work and some boards stuff) and post my findings. If it's a bug, I'll let the vbulletin people know.

dahamsta

Let me know too ecksor, will ya? I run a vBulletin installation on foot.ie. I wouldn't trust those vBulletin prix as far as I could throw them.

Cheers,
adam

ecksor

Right. Here's the skinny. I reckon this isn't too bad, but I'll let you all make up your own minds.

When you request to have your password reset, you submit an email address to vbulletin. vbulletin does a search to see which user has that address, generates a large random number, takes a note of the time and the userid of the person and stores this info in a table designed for this purpose. An URL is sent to your email address which has the userid and the large random number in it.

When you request this URL, the software checks to see if a corresponding record exists for that userid and the random number. If it does, then it checks the time to see if it is less than 24 hours old. If it doesn't exist, or it's more than 24 hours old, then it gives an error. Otherwise, it changes that user's password, and mails it to their e-mail address.

One possible attack would be to find a user who's email address you know (not everyone publishes their email address, but some do, and in my case it's easy to guess etc.), and put that into the "I lost my password" form. That user then gets an email with the activation ID (random number) embedded in an URL. You now have 24 hours in which to keep trying combinations of that url with the user's userid, and guessing a different activation ID each time. If you are lucky, you will get it within your first 8 to 10 million gos. If this is successful, then the user will get a new password mailed to them (not a disaster).

Obviously if someone can intercept the mail, then they have the password, but if it's been intercepted at the user's end, I reckon the user has more problems to worry about and if it's been intercepted at our end, then that person could intercepted at our end, we probably have bigger things to worry about. Obviously it could be sniffed anywhere in between the boards network and the users' network, but in practice this would be quite difficult to do to get a specific user's password I reckon.

I've briefly looked at the possibility of guessing what the random number is successfully. The function used is md_rand(), which supposedly uses a near cryptographic strength random number generator, so that should be "good enough". If anyone knows better, let me know. Actually, just looking at the code, they use it in such a way that you could probably go to the bother of preparing an attack that would guarantee that you got it within your first million tries, but I'm not sure if that would work.

Boston said that when he clicked on the link that was sent to him, he was given an error (this is the bug that this thread started with, which we haven't figured out yet) but he was allowed to post under his own user account for a few minutes. I was unable to reproduce this, and I can't see anything in the code that would be authenticating this. However, I'm prepared to believe that I may have missed something so I'll look at it again tomorrow when I'm a bit fresher.

Boston

i think its linked to the fact that i never log out. so when it saw me using the code it would think it was maybe a cookie or something and and think i must be loged in and let me go and post. probably a side effect of the bug.

the "backdoor entrance" failed to work, when, having used the link, i pressed the log out button.

All in all id say this is extremely minor, since in order to get it to work you would probably need to recreate the bug, which seems to have been, in its self a one in a million shot.

seamus

Having to take a million goes at it would deter all but the most determined hackers, and I don't think DeV has pi$$ed off anyone with that kind of expertise or determination

dahamsta

Thanks for the report ecksor.

adam

Hobbes

Originally posted by ecksor
*

The problem with that is there would be a massive number of hits that even a casual look at the server logs would show up as something suspect.