Thanks for the help guys
Hi,
We store user passwords as a hash value with a salt phrase using CF.
However, we have recently had a penetration test done on our servers
and they have advised that when the password gets sent to the server,
the actual password gets stored in the browser
I recently discovered this when I signed up for lastpass and it shows you
all the login details stored in your browser and i'm quite sure most these
I have not intentionally saved. So if lastpass can do it, then any web app
can do it.
This is interesting reading:
On Fri, Feb 7, 2014 at 2:37 PM, Richard White wrote:
1) is this best practise as if the salt phrase is contained within
Javascript it will be easy for anyone to see what it is
Why would it be a problem if somebody saw it? It still increases the
complexity for a would-be attacker. Just make
That's very curious. The CVE that Adobe references in their release (
CVE-2012-0770 ) doesn't seem to be a valid CVE number, though it comes
up in some google searches. But it isn't in the National Vulnerability
Database or at cvedetails.com
The vulnerability they are describing seems to be the
The vulnerability they are describing seems to be the one described here
From the comment below, I think it is the same issue
http://forums.adobe.com/message/4264032#4264032
-Leigh
~|
Order the Adobe Coldfusion Anthology
Thanks, Leigh, looks like that verifies that it is the same issue. Now
I'm curious why it took Adobe til the middle of March to fix a
vulnerability that everyone else fixed by early January at the latest.
At least it is fixed.
Cheers,
Judah
On Tue, Mar 13, 2012 at 12:29 PM, Leigh
Judah - I was wondering the same thing. When it was first announced, I could
not seem to find any CF specific details. I just assumed it was applicable
because java was vulnerable.
-Leigh
From: Judah McAuley
Sent: Tuesday, March 13, 2012 3:36 PM
Subject: Re: hash collision
Thanks, Leigh
On Tue, Mar 13, 2012 at 8:36 PM, Judah McAuley wrote:
Thanks, Leigh, looks like that verifies that it is the same issue. Now
I'm curious why it took Adobe til the middle of March to fix a
vulnerability that everyone else fixed by early January at the latest.
Just like with their other
On Tue, Mar 13, 2012 at 1:06 PM, Jochem van Dieten joch...@gmail.com wrote:
On Tue, Mar 13, 2012 at 8:36 PM, Judah McAuley wrote:
Thanks, Leigh, looks like that verifies that it is the same issue. Now
I'm curious why it took Adobe til the middle of March to fix a
vulnerability that everyone
Hi Eric,
Are you using a hash()? Because that output looks look you are doing a
URLEncodedFormat().
If you are doing a SHA hash, the result would a bunch of characters like
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
If you are URLEncodedFormat() you'd get what you have:
ColdFusion thinks the # is the start of a variable name.
All you need to do is double it up to escape it:
cfset MyDoc.rows.XmlChildren[1].XmlChildren[2].XmlText = ##cspan /
~Brad
- Original Message -
From: Richard White rich...@j7is.co.uk
To: cf-talk cf-talk@houseoffusion.com
Sent:
perfect, thanks brad
richard
ColdFusion thinks the # is the start of a variable name.
All you need to do is double it up to escape it:
cfset MyDoc.rows.XmlChildren[1].XmlChildren[2].XmlText = ##cspan /
~Brad
~|
Adobe®
On Thursday 08 Mar 2007, Ben Doom wrote:
MD5 is an older standard. I don't remember what it stands for. It is
still widely used for signing things like software downloads (look for
it where you download Linux CDs or on Sourceforge). It is not secure
the same way the lock on my door isn't
There are a number of people who use rainbow tables on a regular basis
that would beg to differ on this point.
On 3/9/07, Tom Chiverton [EMAIL PROTECTED] wrote:
Likewise, if I give you a MD5 hash of my password, you can't tell me what my
password is.
--
mxAjax / CFAjax docs and other useful
On Friday 09 Mar 2007, James Holmes wrote:
There are a number of people who use rainbow tables on a regular basis
that would beg to differ on this point.
Using brute force to find a hash collision is not the same as finding out my
password.
--
Tom Chiverton
Helping to heterogeneously restore
On Friday 09 Mar 2007, James Holmes wrote:
There are a number of people who use rainbow tables on a
regular basis
that would beg to differ on this point.
Using brute force to find a hash collision is not the same as
finding out my password.
Password discovery is password discovery,
On Friday 09 Mar 2007, Paul Vernon wrote:
If you discover the password, then in many cases, you have the keys to the
kingdom and although MD5 is stronger than plain text storage and would
deter the casual hack, it is now known to be flawed and computing power
these days means this flaw is more
On Friday 09 Mar 2007, Paul Vernon wrote:
If you discover the password, then in many cases, you have
the keys to
the kingdom and although MD5 is stronger than plain text
storage and
would deter the casual hack, it is now known to be flawed and
computing power these days means this
On Friday 09 Mar 2007, Paul Vernon wrote:
Did I say it would?
No.
Going a bit OT now...
I think all web developers should have an understanding of these issues, which
means debating them.
This goes double if you are executing code on the server.
--
Tom Chiverton
Helping to administratively
Tom Chiverton wrote:
It's not defeatable in any useful sense.
::snip::
Likewise, if I give you a MD5 hash of my password, you can't tell me what my
password is.
I cannot necessarily tell you what your password is. However, I can
determine a string with the same hash value, such that it will
I cannot necessarily tell you what your password is.
However, I can determine a string with the same hash value,
such that it will work just as well as your password. It
might be a 197 character piece of junk, but it will still work.
Of course, I in this case is a hypothetical me who
On Thursday 08 Mar 2007, Robert Rawlins - Think Blue wrote:
Presumably they become more complex, and therefore more secure from top to
bottom, so why would you not specify the SHA-512 on all hash encryption you
do, I know that hash is generally regarded as a one way encryption so why
do they
Ok thanks for that Tom, I'd made an educated guess about the performance of
generating a SHA-512, it just interested me.
Thanks again for that tid-bit
Rob
-Original Message-
From: Tom Chiverton [mailto:[EMAIL PROTECTED]
Sent: 08 March 2007 10:19
To: CF-Talk
Subject: Re: Hash
MD5 is an older standard. I don't remember what it stands for. It is
still widely used for signing things like software downloads (look for
it where you download Linux CDs or on Sourceforge). It is not secure
the same way the lock on my door isn't secure -- it's defeatable, but
it's a good
Sixten Otto wrote:
the default mode of the Hash() function is a CFMX compatibility mode that
uses who knows what algorithm. It's also possible that to duplicate the value
PHP produces, one might need to specify the encoding to Hash(), as well.
According to livedocs, the default is MD5 in
On Tuesday 07 November 2006 13:11, Rick Root wrote:
the default mode of the Hash() function is a CFMX compatibility mode
that uses who knows what algorithm. It's also possible that to duplicate
the value PHP produces, one might need to specify the encoding to Hash(),
as well.
According
Rick Root wrote:
According to livedocs, the default is MD5 in CFMX 7.
Now that I look again, it actually designates *both* as the default (ain't that
just par for the course!). But the livedocs are very clear about the existence
of a 6/6.1 compatibility mode:
* CFMX_COMPAT: Generates a hash
[EMAIL PROTECTED] wrote:
$passwd = md5(md5($passwd) . $SALT);
What would be the equivalent syntax in CF?
cfset passwd = hash(hash(passwd) SALT)
Pretty straightforward.
Rick
~|
Introducing the Fusion Authority
-Original Message-
From: Rick Root [mailto:[EMAIL PROTECTED]
Sent: 06 November 2006 19:58
To: CF-Talk
Subject: Re: hash() encryption
[EMAIL PROTECTED] wrote:
$passwd = md5(md5($passwd) . $SALT);
What would be the equivalent syntax in CF?
cfset passwd = hash(hash(passwd) SALT)
Pretty
michael.wright74 wrote:
$passwd = md5(md5($passwd) . $SALT);
$SALT is a random generated 3 charachter value.
What would be the equivalent syntax in CF?
password = Lower(Hash(Lower(Hash(passwd)) SALT));
Jochem
~|
Jochem van Dieten wrote:
michael.wright74 wrote:
$passwd = md5(md5($passwd) . $SALT);
What would be the equivalent syntax in CF?
password = Lower(Hash(Lower(Hash(passwd)) SALT));
Er, I think you mean:
passwd = LCase(Hash(LCase(Hash(passwd,MD5)) SALT, MD5));
There's no Lower() in CFML.
08:09:49 GMT
To: CF-Talk cf-talk@houseoffusion.com
Subject: re: hash() encryption
Rick,
To be honest I thought it would be that, however it doesn't return the
expected value.
I'm going to have to look again at the original php code and see if I'm
missing something else.
Don't
Sixten,
Many thanks - that's exactly it.
From: Sixten Otto [EMAIL PROTECTED]
Date: 2006/11/06 Mon PM 08:10:24 GMT
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: hash() encryption
Jochem van Dieten wrote:
michael.wright74 wrote:
$passwd = md5(md5($passwd) . $SALT);
What
Are you certain that the VB.NET output is SHA-1 and that you've copied the
complete input string correctly?
Here's how I would do what you've got in VB with CF:
cfscript
testString = SENTRYORD01154321SENTRYORD01154321;
HashValue = Hash(testString,'SHA-1','UTF-8');
sa =
go to the Macromedia (Adobe) exchange and look for SHA-1.. there's
already code that hashes strings using the SHA-1 algorithm.
I actually utilized it and converted the CF to VB 6 for a project.
On 10/2/06, Peter Boughton [EMAIL PROTECTED] wrote:
Are you certain that the VB.NET output is SHA-1
Be careful with encryption moving from .Net to CF and vice versa. Just
because the one names the algorithm the same way as the other it doesn't
follow that you can just encrypt in one and decrypt in the other.
There are differences in formatting and such (Base64 output vs. hex strings,
for
Can anyone help me to convert this VB.NEt code to Coldfusion code. I'm
trying to do it but the output is dosn't same.
[snip]
[VB.Net] Output:WbwSWEBzPqgo9C4nZmGwHhd/FBQ=
I fired up VS 2005 and created a new console app with the code you posted, and
the output I got from the VB.NET program
Ah, it looks like VB.NET uses 160-bit SHA-1, which is 20 bytes/characters,
compared to CF's 28 characters.
As pointed out by Greg, Adobe Exchange has a SHA-1 custom tag, and that is
160-bit so should match the value that VB.NET is producing:
Try using SHA instead of MD5?
On 10/2/06, Juman Lop [EMAIL PROTECTED] wrote:
Can anyone help me to convert this VB.NEt code to Coldfusion code. I'm trying
to do it but the output is dosn't same.
VB.NET cod:
''
Input:
Be careful with encryption moving from .Net to CF and vice versa. Just
because the one names the algorithm the same way as the other it doesn't
follow that you can just encrypt in one and decrypt in the other.
For example, the MD5 hash used in CF is a short version that uses
hexedecimal notation.
Try using SHA instead of MD5?
On 10/2/06, Juman Lop [EMAIL PROTECTED] wrote:
--
CFAJAX docs and other useful articles:
http://www.bifrost.com.au/blog/
I have been trying to change the MD5 with Sha but the output is still do not
work properly.
I have not as I don't think this is built into ColdFusion directly. If you
can, find someone who has worked with Google Checkout, as I believe they
need to do just that in order to encrypt the the shopping cart XML. In fact,
you might want to try looking at the Google Checkout documentation, as
I'm trying to reverse engineer a hash ...
The whole point of a hash algorithm is that it should not be susceptible to
reverse-engineering. That is, given a hash, you should never be able to
derive the original value from which the hash was created. If this is in
fact the case, the only way to
I don't think you're gonna be able to do that. The whole idea is for it
to be undecipherable and not be able to be reverse-engineered.
jonese wrote:
I'm trying to reverse engineer a hash and i'm not sure what could
product something like this:
931c6ff8d9e365bfb412
the value returned by
Did you forget your password, which was hashed?
--
Oleg Gunkin
Email: [EMAIL PROTECTED]
Phone: (604) 666-9392
Emerging Technologies / Pacific Web Services
Information Technology Services
Public Works and Government Services Canada (Pacific)
-Original Message-
From: jonese [mailto:[EMAIL
right i know this and i have some ideas what data is being hashed but
i cannot figure out how to limit a hash to only 20 chars. most of the
hashing i've even done has been in md5 sha1 etc and this is obviously
not that.
I know this is a long shot but i was hoping that the 20 char limit
might ring
I just googled '20 character hash' and found quite a few sites that talk
about such an animal. Might be a good start.
-Original Message-
From: jonese [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 11, 2006 2:56 PM
To: CF-Talk
Subject: Re: hash question
right i know this and i
He forgot your password Oleg.
:)
!//--
andy matthews
web developer
ICGLink, Inc.
[EMAIL PROTECTED]
615.370.1530 x737
--//-
-Original Message-
From: Oleg Gunkin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 11, 2006 3:54 PM
To: CF-Talk
Subject: RE
If it's 10g, it's very possible they're using dbms_crypto to encrypt some
piece of data. You seed it with your own random string of varying lengths.
You basically create a wrapper package for the built-in dbms_crypto package.
Depending on the length of your seed, you'll get different length
algorithm was used to create
this hashed value?
~Brad
-Original Message-
From: jonese [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 11, 2006 3:56 PM
To: CF-Talk
Subject: Re: hash question
right i know this and i have some ideas what data is being hashed but
i cannot figure out how to limit
It could be one of the following algorithms:
- RIPEMD-160
- SHA-0
- SHA-1
- Tiger-160
--
Oleg Gunkin
Email: [EMAIL PROTECTED]
Phone: (604) 666-9392
Emerging Technologies / Pacific Web Services
Information Technology Services
Public Works and Government Services Canada (Pacific)
-Original
the original string which was used to produce
this hashed value?
Are you trying to figure out WHAT hashing algorithm was used to create
this hashed value?
~Brad
-Original Message-
From: jonese [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 11, 2006 3:56 PM
To: CF-Talk
Subject: Re
On Sunday 08 May 2005 16:54, Robert Munn wrote:
process. By searching the rainbow tables, you can find possible matches to
your hashed value and so find what the original string might be.
Indeed, it's a classic time/space trade of problem.
If you use several DVD's of precomputed data, you
So you might find your hash in the rainbow
tables, but the original string still might not match.
True, but in most cases where a hash is used, it doesn't matter; all you
need is some string that results in the same hash. That'd be typical for a
password system, for instance.
If the original
So you might find your hash in the rainbow
tables, but the original string still might not match.
True, but in most cases where a hash is used, it doesn't
matter; all you need is some string that results in the
same hash. That'd be typical for a password system, for
instance.
One way
-Original Message-
From: Justin D. Scott [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 08, 2005 1:28 PM
To: CF-Talk
Subject: RE: HASH() reverse
So you might find your hash in the rainbow
tables, but the original string still might not match.
True, but in most cases where
Dave Merrill wrote:
Nice explanation Jim (:-)
It's sometimes hard for people to understand this basic concept. That was
the simplest, clearest, most common-sense take on hashing I've seen. I'll
remember it if I need to go through this with a client.
I can do better:
Hashing text is
Having said that, the way I understand it, a hash is 32-bit,
so there are finite number of possible hash values.
Hashes need not be 32-bit. Hashes created using MD5, the default algorithm
used by CFMX, are 128-bit, 32 character strings. CFMX 7 supports SHA-1,
SHA-256, SHA-384 and SHA-512 out
Hashes need not be 32-bit. Hashes created using MD5, the default algorithm
used by CFMX, are 128-bit, 32 character strings. CFMX 7 supports SHA-1,
SHA-256, SHA-384 and SHA-512 out of the box, plus you can use
hash functions
provided by any Java security provider you install. SHA-1 creates
a
Hence the need for salt I think. CF7's improved hashing algorithm
support could be considerdd reason enough right there to upgrade,
otherwise.
--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com
~|
Logware
A common mistake is too think of hashes as encryption - they're
not. They
don't represent the source. It's better to think of a hash as a
Fingerprint.
There is no way, using a fingerprint, to reconstruct the finger which made
it. That information isn't represented by the fingerprint
Subject: RE: HASH() reverse
A common mistake is too think of hashes as encryption - they're not.
They don't represent the source. It's better to think of a hash as a
Fingerprint.
There is no way, using a fingerprint, to reconstruct the finger which
made it. That information isn't
On Saturday 07 May 2005 12:59, James Holmes wrote:
literally though, as people's fingerprints are unique while hashes are not.
Bzzt.
Finderprints aren't unique in any meaningful sense.
--
Tom Chiverton
Advanced ColdFusion Programmer
Subject: Re: HASH() reverse
On Saturday 07 May 2005 12:59, James Holmes wrote:
literally though, as people's fingerprints are unique while hashes are
not.
Bzzt.
Finderprints aren't unique in any meaningful sense.
~|
Logware
On Saturday 07 May 2005 14:23, James Holmes wrote:
possible fingerprints. He showed that there are at least 64 billion
fingerprints possible. Given that this is larger than the number of people
Firstly, of that space, not all possible combinations will occur.
Secondly, there have been some very
-Original Message-
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]
Sent: Saturday, May 07, 2005 10:25 AM
To: CF-Talk
Subject: Re: HASH() reverse
On Saturday 07 May 2005 14:23, James Holmes wrote:
possible fingerprints. He showed that there are at least 64 billion
fingerprints
is there any possiblity to reverse the hash()
I have a value 1xc231vx231cx2v1x2cv132xc1v23 thats hash, how can I
revert back into the normal text.
The whole point of using a hash is that you cannot retrieve the original
value from the hash. You can only compare other values to the original
is there any possiblity to reverse the hash()
I have a value 1xc231vx231cx2v1x2cv132xc1v23 thats hash,
how can I
revert back into the normal text.
Thanks
Well the idea behind hash it that it's not supposed to be reversible.
Hence it's more secure since you can only pass validation (user
So, it means there is no software/tool available for reversing the hash() value?
Anybody aware anything about it?
is there any possiblity to reverse the hash()
I have a value 1xc231vx231cx2v1x2cv132xc1v23 thats hash, how can I
revert back into the normal text.
Thanks
--
Regards,
--
Hey - that one is easy - it is 'make mine a large one' in plain text :-)
name erased because of alcohol
- Original Message -
From: Asim Manzur [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, May 06, 2005 9:31 PM
Subject: HASH() reverse
is there any possiblity
The answer is _NO_ way to do it. People have already told you that.
John Burns
Certified Advanced ColdFusion MX Developer
Wyle Laboratories, Inc. | Web Developer
-Original Message-
From: Asim Manzur [mailto:[EMAIL PROTECTED]
Sent: Friday, May 06, 2005 4:45 PM
To: CF-Talk
Subject: Re
So, it means there is no software/tool available for
reversing the hash() value?
The availability of such a tool would nullify the value of being able to
hash in the first place - it would demonstrate that the hashing algorithm
and/or hashing process is broken and therefore useless. The entire
Subject: Re: HASH() reverse
So, it means there is no software/tool available for reversing the
hash() value?
Anybody aware anything about it?
is there any possiblity to reverse the hash()
I have a value 1xc231vx231cx2v1x2cv132xc1v23 thats hash, how can I
revert back into the normal text
-Original Message-
From: Asim Manzur [mailto:[EMAIL PROTECTED]
Sent: Friday, May 06, 2005 4:45 PM
To: CF-Talk
Subject: Re: HASH() reverse
So, it means there is no software/tool available for reversing the hash()
value?
Anybody aware anything about it?
Others have said
Asim Manzur wrote:
So, it means there is no software/tool available for reversing the hash()
value?
Anybody aware anything about it?
As a particular example, a $10 million custom machine for
applying parallel collision search to the MD5 hash function could
complete an attack with an
- Original Message -
From: Jochem van Dieten [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, May 06, 2005 10:26 PM
Subject: Re: HASH() reverse
Asim Manzur wrote:
So, it means there is no software/tool available for reversing the
hash() value?
Anybody aware
Burns, John said:
I read some comments the other day on the list about using hash() to
store passwords in a database and someone sent a link to a microsoft
document explaining the security benefits to storing passwords that
way. In the article, it talked about using a salt parameter that
the
John Burns said
I read some comments the other day on the list about using hash() to
store passwords in a database and someone sent a link to a microsoft
document explaining the security benefits to storing passwords that
way.
Do what Jochem said.
Make sure the salt value *cannot* change or
Should be. The hash() function is supposed to be an md5 implementation, so I don't
see why they should change across versions.
- Original Message -
From: Matt Robertson [EMAIL PROTECTED]
Date: Wednesday, April 2, 2003 1:20 pm
Subject: Hash() across CF versions (was: encrypting
Cool. Thx!
---
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
---
-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: [EMAIL
CF 4.5
There's a complete list of CF functions and version on the front of
www.houseoffusion.com
At 12:50 PM 1/25/02, you wrote:
What version of CF server introduced the function hash()?
Shawn Regan
Applications Developer
pacifictechnologysolutions
4.5
FYI, you can find that answer at:
http://www.houseoffusion.com/hof/functions.cfm
Regards,
Dave.
Original Message Follows
From: Shawn Regan [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Subject: Hash()
Date: Fri, 25 Jan 2002 09:50:14 -0800
What
82 matches
Mail list logo