Your code does not generate anything useful because MyBB doesn't use sha1.
I dont know how this works and what mybb support or not. He do this code and the trick which i explained before and moreover i tried myself to my board and my friend board, its working fine.
If you know how to get login cookie data of other users, without them giving it to you, pray tell.
If it's only cookies, Tamper Data is the wrong tool for the job - you can just edit the cookies directly using Webmaster Toolbar.
It's always possible to tamper and change cookies; that can't be helped. It's still secure as long as you don't know what data to put into the cookie to actually be authenticated as that particular user. And that's harder to do than guessing the user's password because you need to know a long random string for it.
If the other user cooperates and gives you their cookie, that's as if they gave you their password, and as such no security flaw in the software, but user error.
(2011-08-29, 10:23 AM)frostschutz Wrote: [ -> ]If you know how to get login cookie data of other users, without them giving it to you, pray tell.
If it's only cookies, Tamper Data is the wrong tool for the job - you can just edit the cookies directly using Webmaster Toolbar.
It's always possible to tamper and change cookies; that can't be helped. It's still secure as long as you don't know what data to put into the cookie to actually be authenticated as that particular user. And that's harder to do than guessing the user's password because you need to know a long random string for it.
If the other user cooperates and gives you their cookie, that's as if they gave you their password, and as such no security flaw in the software, but user error.
Sorry mate; i dont understand anything above
. I'm not professional or technical guy mate. Just a regular mybb user. I just found this error so i wana report to mybb and tried to solve this prob
And even if you know the loginkey you don't have a chance to access the ACP because you need the password there.
(2011-08-29, 07:19 AM)shinekwt Wrote: [ -> ]me: from were u get this
mybb[lastvisit]=1313053471; mybb[lastactive]=1313053582; sid=5ef0490f4cd9274006457f01220d55b4; mybbuser=3_tIMTtvGNGBWSobcRWq5zwy3iKzhGqcEDtLZLAo2pnVzSsgmnVb
giants: or yourll get logged out
3 = his UserID
12:07 PM after the underscore = his name Aldrin encrypted with a salt using sha1
That's false information. As you can see the string after the underscore comes is 50 characters long. That's the login key and it's completely random. See MyBB's inc/functions_user.php:
/**
* Generates a 50 character random login key.
*
* @return string The login key.
*/
function generate_loginkey()
{
return random_str(50);
}
It shouldn't be possible to guess this string, as there are way too many combinations. It depends on PHP's random numbers not being reproducable in any way though.
It's entirely possible to have cookies stolen if there's an XSS issue with your board or if the user is just dumb enough to hand that kind of info to other people.
That code you sent my via email is completely irrelevant, for a start MyBB doesn't even use sha1 encryption and the loginkey (used in the mybbuser cookie) is generated from a very secure random number generation algorithm.
To be frank I think this "hacker" is trying to hide the fact he simply stole your cookie data (possibly through a trojan on your computer or some other method) in order to scare you.
(2011-08-29, 10:44 AM)Tim B. Wrote: [ -> ]That code you sent my via email is completely irrelevant, for a start MyBB doesn't even use sha1 encryption and the loginkey (used in the mybbuser cookie) is generated from a very secure random number generation algorithm.
To be frank I think this "hacker" is trying to hide the fact he simply stole your cookie data (possibly through a trojan on your computer or some other method) in order to scare you.
I though the same also mate but my board have two admin (one me and another one in India) and he used to enter my admin panel under other admin id also. So the hacker stole his cookie also??? or my board have any security issue?? Can anyone please check my board
http://www.malluvdo.net/forum/
What version of the MyTabs plugin are you using? Because the old one has a
significant security issue which I suspect is as fault.
Yup, it's MyTabs. Mystery solved.