Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 May 2009 17:44:19 -0500
From: Minga Minga <>
Subject: Re: GI John

> Finally I can publish my distributed patch for john. Its seems to
> working, i hope it will be stable in the future, when more people will
> use it.
> You can download it from here:

Interesting project. Ill give it a try. I hope lots of people use it.
Then again, I would not use something like this for client's
passwords. Its too dangerous to share your hashes with
strangers on the Internet.


1) The error message

<error>No such user. Please register, or change the account.</error>

... implies that the username is invalid, if I pick a valid username will I
get a different error message? If so, this is user-enumeration
vulnerability. And I can use it to brute force user names. And maybe
eventually passwords.

2)  The traffic to the server is over port 80.  Will it be sending
password hashes and plain-text non-encrypted over the Internet?
That's really dangerous - I would wrap it with 'stunnel' if was running an SSL web-server. Which is doesn't

POST /newsession.php?user=testing&pass=testpassword HTTP/1.0


3) In the POST above, by sending the login and password in the
URL, you are allowing the credentials to be stored in a variety of
places (some of which might be out of your reach). Including incoming
and outgoing proxy logs. and your web-server logs. If I gained access
to your logfiles - I would have EVERYONE's login and password.
You are putting your user's at risk.

4) If my machine is a member of the "cloud" - can I be able to
display all the hashes that I am attempting to crack for other
users? This is a large information disclosure. (as mentioned
above). I could easily create a "dummy" client that talks to the
server and constantly requests new hashes.


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.