How would someone be able to access wp-config.php? When it is opened in the users browser it would be run as PHP...
-------------------------------------------- Bull3t http://www.bull3t.me.uk/ > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:wp-testers- > [EMAIL PROTECTED] On Behalf Of PkbCS Contact > Sent: 21 November 2007 16:34 > To: [email protected] > Subject: Re: [wp-testers] Wordpress Google MD5 hash crack > > Obtaining the MD5 hash is not that difficult. A lot of shared hosts do > not protect the web roots of their users properly which makes it a > trivial task to obtain the contents of wp-config.php and connect to the > user's database and obtain the hash. Simply using word that are not a > part of any language will keep you safe against weaker cracking > attempts; however, a determined hacker can, and will make use of rainbow > tables which have hashes not only for dictionary words, but also huge > collections of random alphanumeric and special character strings. > > So, IF the host is setup properly, IF the application is not vulnerable > to queries that can return the admin password hash and IF the hacker is > not determined enough to use a rainbow table to crack the hash, then > yes, it's nothing to worry about. > > From what I understand, it's a relatively trivial matter to add a > "salt" function that would further protect the MD5 hash. I believe this > would be the best solution because the upgrade script could prompt the > user for a salt string and the hashes could be converted as part of the > upgrade process. Another option is generating the salt string > automatically and outputting it for the user to save in a safe place. > > Bull3t wrote: > > You need to know the MD5 hash of the password in the first place and even > > then it is just luck of the draw, it really isn't that worrying. Just use a > > password that isn't part of a language? > > > > > > -------------------------------------------- > > Bull3t > > http://www.bull3t.me.uk/ > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:wp-testers- > >> [EMAIL PROTECTED] On Behalf Of Pål GD > >> Sent: 21 November 2007 13:45 > >> To: [email protected] > >> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack > >> > >> Cornell Finch wrote: > >> > >>> I know this probably isn't the right place to put this but I don't > >>> know where else to submit it: > >>> > >>> http://www.theregister.co.uk/2007/11/21/google_md5_crack/ > >>> > >>> Is this something we should be worried about? > >>> > >>> Collin > >>> > >> Yes, indeed. Wordpress should have been doing salting[1], which I don't > >> think they do. > >> > >> [1] http://en.wikipedia.org/wiki/Salting_(cryptography) > >> _______________________________________________ > >> wp-testers mailing list > >> [email protected] > >> http://lists.automattic.com/mailman/listinfo/wp-testers > >> > >> No virus found in this incoming message. > >> Checked by AVG Free Edition. > >> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: > >> > > 21/11/2007 > > > >> 10:01 > >> > >> > > > > No virus found in this outgoing message. > > Checked by AVG Free Edition. > > Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007 > > 10:01 > > > > > > _______________________________________________ > > wp-testers mailing list > > [email protected] > > http://lists.automattic.com/mailman/listinfo/wp-testers > > > > > > -- > Best regards, > > James Morris > PkbCS, LLC > [EMAIL PROTECTED] > http://pkbcs.com/ > > _______________________________________________ > wp-testers mailing list > [email protected] > http://lists.automattic.com/mailman/listinfo/wp-testers > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007 > 10:01 > No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007 10:01 _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
