PEAK XOOPS - Re: auto-login hacked files for XOOPS 2.0.9.2 
Re: auto-login hacked files for XOOPS 2.0.9.2
- As this forum is only for commentation, you cannot open a new topic
- Guests cannot post into this forum
| Target | Downloads |
| Subject | auto-login hacked files for XOOPS 2.0.9.3 |
| Summary | ●XOOPS 2.0.9.x用のオートログインハック(+α)済みコアファイルパック (V2)セキュリ&#... |
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2005/2/19 16:27
GIJOE
Posts: 4110
Posts: 4110
hi dasdan.
It sounds a good idea.
As long as the recent cookie is stolen, attacker cannot login successfully.
But some users who uses 2 and above browsers (eg. in Office&Home) can't login automatically anymore.
After my current work is over, I'll consider it.
It sounds a good idea.
As long as the recent cookie is stolen, attacker cannot login successfully.
But some users who uses 2 and above browsers (eg. in Office&Home) can't login automatically anymore.
After my current work is over, I'll consider it.
Votes:0
Average:0.00
Previous post
-
Next post
|
Parent
-
Children.1
|
Posted on 2005/2/19 6:31
dasdan
From: Belgium / Ghent
Posts: 4
From: Belgium / Ghent
Posts: 4
This hack stores the password as an MD5 hash on the client, but this is vulnerable to dictionary attacks, and simple copying to another computer.
This hack is a potential security hole, don't enable it lightly.
I was thinking , client logs in, server creates a unique random ID and stores in DB, sends it back to the client and stores it in a cookie. Next page visit, server cheques unique ID, if match -> generates a New ID, else user needs to login again. (possible a hacked)
This hack is a potential security hole, don't enable it lightly.
I was thinking , client logs in, server creates a unique random ID and stores in DB, sends it back to the client and stores it in a cookie. Next page visit, server cheques unique ID, if match -> generates a New ID, else user needs to login again. (possible a hacked)
Votes:0
Average:0.00
Login