Announcement

Collapse
No announcement yet.

Any one else have problems posting?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by IODICK
    The Sqrt() of Pi is 1.7724538515682938875632762356675467 ..
    Wow, IODICK suddenly got smarter

    Comment


    • #17
      Originally posted by Evan
      If you use Adrian's remote proxy to log in to the BBS or use any function that requires you to enter your password it is possible for Adrian to capture your Password. I am not saying he does but the possibility exists.

      All he needs to do is to modify the login page so it doesn't call the MD5 hash function so that your password is returned to his proxy in plaintext. He can then run the MD5 hash to present it to the HSM server.

      Since all communication with the HSM server are unencrypted except the password it is trivial to do. Only this part of the web page needs to be modified:

      Code:
      <!-- login form -->
              <form action="login.php" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
              <script type="text/javascript" src="clientscript/vbulletin_md5.js">
      Yup, there is almost an unlimited list of things I can do, however I don't do anything unusual except tickle IOWOLF a little bit. I log posts in case someone tries to abuse this system via my proxy.

      If anyone doesn't want their post logged, then run the local proxy server.

      -Adrian

      Comment


      • #18
        Originally posted by 3 Phase Lightbulb
        Yup, there is almost an unlimited list of things I can do, however I don't do anything unusual except tickle IOWOLF a little bit. I log posts in case someone tries to abuse this system via my proxy.

        If anyone doesn't want their post logged, then run the local proxy server.

        -Adrian
        Theres one in every crowd, usually its me.As the saying goes there is always a bigger D*CK.

        Comment

        Working...
        X