Date: Thu, 21 May 2009 17:44:19 -0500 From: Minga Minga <mingakore@...il.com> To: john-users@...ts.openwall.com Subject: Re: GI John > Finally I can publish my distributed patch for john. Its seems to > working, i hope it will be stable in the future, when more people will > use it. > You can download it from here: > http://www.gijohn.info Interesting project. Ill give it a try. I hope lots of people use it. Then again, I would not use something like this for client's passwords. Its too dangerous to share your hashes with strangers on the Internet. Notes: 1) The error message <error>No such user. Please register, or change the account.</error> ... implies that the username is invalid, if I pick a valid username will I get a different error message? If so, this is user-enumeration vulnerability. And I can use it to brute force user names. And maybe eventually passwords. 2) The traffic to the server is over port 80. Will it be sending password hashes and plain-text non-encrypted over the Internet? That's really dangerous - I would wrap it with 'stunnel' if gijohn.info was running an SSL web-server. Which is doesn't POST /newsession.php?user=testing&pass=testpassword HTTP/1.0 Host: gijohn.info hashes=%3C%3Fxml%20version%3D%221.0%22............etc 3) In the POST above, by sending the login and password in the URL, you are allowing the credentials to be stored in a variety of places (some of which might be out of your reach). Including incoming and outgoing proxy logs. and your web-server logs. If I gained access to your logfiles - I would have EVERYONE's login and password. You are putting your user's at risk. 4) If my machine is a member of the "cloud" - can I be able to display all the hashes that I am attempting to crack for other users? This is a large information disclosure. (as mentioned above). I could easily create a "dummy" client that talks to the server and constantly requests new hashes. -Minga -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.