Security notice to all alliance running outdated versions of Invision Power Board

[bros]

vB works wonderfully.

I dislike vB, it's too.... bulky and web 2.0y

[memoryproblems]

Invision Power Board with security holes? Who would have thought it.

Really, this is another edge that phpbb3 has, it is impossible to retreive a lost phpbb3 password, and the only way to screw it up/hack accounts in that manner is if you have access to modify the database. I guess if your willing to pay $150 for an inferior software with security issues, good for you.

Edited January 9, 2010 by memoryproblems

[bros]

Invision Power Board with security holes? Who would have thought it.

Really, this is another edge that phpbb3 has, it is impossible to retreive a lost phpbb3 password, and the only way to screw it up/hack accounts in that manner is if you have access to modify the database. I guess if your willing to pay $150 for an inferior software with security issues, good for you.

psssst

all use MD5 salted hashes.

Not sure about IPB. I think 2.x.x might use SHA-1 that's salted.

SMF and phpbb used MD5 salted hashes though

[hizzy]

i use google chrome

[Caesar833]

Does this include really old invisionfree boards? If so how do i check the version?

[Brenann]

IPB 3.0.5 is good.

Safe and sexy forums...

I hope bros has lots of fun with whoever the idiot is that thought hacking forums was a good idea.

[bros]

i use google chrome

chrome ftw

Safe and sexy forums...

I hope bros has lots of fun with whoever the idiot is that thought hacking forums was a good idea.

It is rather fun. I'm going to talk about it on CN Radio.

[Little Fame Monster]

[...] convert to SMF.

Although I love SMF... in some ways I absolutely hate it too. It's very simplistic, which I love, but sometimes this "simplicity" also makes things so much harder. For the love of God, use PHPBB. You'll thank me later.

[bros]

Although I love SMF... in some ways I absolutely hate it too. It's very simplistic, which I love, but sometimes this "simplicity" also makes things so much harder. For the love of God, use PHPBB. You'll thank me later.

Mods make it better

[Tushar Dhoot]

If someone has gotten into a forum on CN using a specific exploit on a specific type of forum software, then it would /probably/ be a good idea to not be on that, right?

Yea, but it'd /probably/ not be a good idea to upgrade to an even less secure version. Especially one with perl exploits, and a rather similar php password exploit.

psssst

all use MD5 salted hashes.

Not sure about IPB. I think 2.x.x might use SHA-1 that's salted.

SMF and phpbb used MD5 salted hashes though

IPB 2.x.x is MD5 hashed with optional salts.

Edited January 10, 2010 by Tushar Dhoot

[Little Fame Monster]

Mods make it better

SMF mods are easy to install. I'll give you that. Still... good mods that are compatible are hard to find.

[Penkala]

i use google chrome

Let me guess, you're impersonating Nelchael?

[bros]

Yea, but it'd /probably/ not be a good idea to upgrade to an even less secure version. Especially one with perl exploits, and a rather similar php password exploit.

IPB 2.x.x is MD5 hashed with optional salts.

Ahhh. Well still, you can cracked the hashes as long as you have the salts and a good rainbow table

SMF mods are easy to install. I'll give you that. Still... good mods that are compatible are hard to find.

...what? O_o

Just look at the SMF site, there are a whole bunch for SMF 2 or SMF 1. More for 1.1.x than 2.x though

[bros]

Oh, and guys:

INVISIONFREE IS NOT INVISION POWER BOARD

[Vasuda]

phpBB forever!

Edited January 11, 2010 by Vasuda

[lonewolfe2015]

To be fair, IPB has no competition if you'll pay for it. There is a mod in development that will allow an automatic installation of applications rather than using the cpanel. It's also purty and more user friendly... I've used the most recently SMF and IPB versions in case anyone was curious, still would pick IPB every time.

A good note to remember though for people -

Use a different CN forums password than you use for your alliance passwords and use an entirely separate diplomating password. Needless to say irc and your CN nation could be separate as well... 5 passwords ain't hard to remember.

[Schattenmann]

It is rather fun. I'm going to talk about it on CN Radio.

I missed it. Return of DarkFoxDemon? Who's the evil villain?

[bros]

So, uh, my other topic got deleted. So i'll bump this one. Someone did this on some forums

[Lord of the Port]

Ahhh. Well still, you can cracked the hashes as long as you have the salts and a good rainbow table

Bad passwords can always be hacked. As far as I know, all 2.3.x versions of IPB have salted MD5 passwords.

Even with the full table (salts and the salted password) there is no reliable method of re-calculating the original hash of the original password.

The password is constructed as following:

md5(md5(password).md5(salt))

.

You have the salt, so you have the md5 salt. You have the final hash. However, you do not have the md5 hash of the password.

This means you not only have to find a collision that exactly matches the original password-hash, but then you also have to find a collision that is small enough to be entered into the password field.

Here they describe how they constructed a single MD5 collision for a Certification Authority. Let's, for simplicity sake, assume it is the same kind of calculation. It took 200 Playstation 3's 18 hours to construct a collision. This means, at best, with the right results immediately at the start, you would need 36 hours and 200 Playstation 3's to break a password from a hashed salted password, even with all the data available.

Playstation 3 cluster

The chances of the average alliance here owning 200 Playstation 3's, configured to run parallel, are next to zero. The mentioned 18 hours time come from the only collision construction I am aware off, and is incompatible with the type of calculation needed to construct two hashes that are small enough to be used.

In short: if your password table uses hashes, you are safe.

[bros]

Bad passwords can always be hacked. As far as I know, all 2.3.x versions of IPB have salted MD5 passwords.

Even with the full table (salts and the salted password) there is no reliable method of re-calculating the original hash of the original password.

The password is constructed as following:

md5(md5(password).md5(salt))

.

You have the salt, so you have the md5 salt. You have the final hash. However, you do not have the md5 hash of the password.

This means you not only have to find a collision that exactly matches the original password-hash, but then you also have to find a collision that is small enough to be entered into the password field.

Here they describe how they constructed a single MD5 collision for a Certification Authority. Let's, for simplicity sake, assume it is the same kind of calculation. It took 200 Playstation 3's 18 hours to construct a collision. This means, at best, with the right results immediately at the start, you would need 36 hours and 200 Playstation 3's to break a password from a hashed salted password, even with all the data available.

Playstation 3 cluster

The chances of the average alliance here owning 200 Playstation 3's, configured to run parallel, are next to zero. The mentioned 18 hours time come from the only collision construction I am aware off, and is incompatible with the type of calculation needed to construct two hashes that are small enough to be used.

In short: if your password table uses hashes, you are safe.

Well look at what happened to your alliance's forums today

[Lord of the Port]

Well look at what happened to your alliance's forums today

Panic, apparently. As I said, the only thing that is stored in the database are the final hashes and the salts. I showed in my previous post that it has little value.

[edit]Bros2 sent me the link. This exploit returns the final hash and the salt. This exploit only works if you have the standard 'ibf_' prefix.

This exploit will only work with weak passwords. A password can be described as weak if your grandmother can memorize it.

Edited January 22, 2010 by Lord of the Port

[janax]

You mean the kind of passwords that most people use ?

[andyt2k]

The newspaper today had a list of the top 10 most common they included

123456

12345

1234567

Password

123456789

I can't remember it, but I got into the admin settings on the computers in my highschool with 2 guesses, the password was "school"

That's not hacking by any means, that's like taking a spare key out of a fake rock, it's inviting people in

[bros]

You mean the kind of passwords that most people use ?

yeah

Basically, don't use dictionary words. It is hilariously easy to crack them

[Starcraftmazter]

That's what happens when you use !@#$%* propriety software. Everyone that got hacked deserves it.