The news is reporting that the flaw in version 3.8.6 allows one to "obtain the administrator's username and password." Is this true?
3.8.6 admin password
Collapse
X
-
Tags: None
-
The exploit doesn't directly give access to the admin password, however through using the database credentials you can dump the database to a local server, upload it, look in phpmyadmin and decrypt the password. There are easier ways, but it's douchey to explain how to hack someones forums.My Forums: The Geek District - Off Topic Hut
My Blog: Mikeylicious
Projects: Shorten URL's with kwn.meComment
-
If the database accepts remote links, you can do "everything", .. so yes, you can also get the user details, though passwords are hashed, however .. you could easily change the passwords of any user, or any other details .. hence the severity of the matter.Comment
-
Comment
-
with read only access to db - it is possible to dump hashes and bruteforce passwords (157 million p/s using average GTS250)
I have reported this problem last year https://forum.vbulletin.com/node/318894Comment
Related Topics
Collapse
-
by ry1234I am trying to get into our admincp and we don't know any admin passwords, our sign up form is broken and forgot password is broken.
Does anyone know the password hash algorithm for 5.3.4...-
Channel: vBulletin 5 Installs & Upgrades
Tue 13 Feb '18, 7:36pm -
Comment