MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > Security Question
Full Version: Security Question
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

kamakzy56

2009-07-26, 04:30 AM
Well I didn't know where else to ask this so I figured that this one would be sufficient.

I am currently in the progress of doing some extensive penetration tests on my board to see how secure I am and I noticed that the admin cookie was very easy to find. This concerns me greatly and I would like to know how to change the cookie's ID currently it is adminsid .-.

Any help would be greatly appreciated!

Board URL, most of the MyBB boards in the first few google pages at random.

www.kamakzy-productions.com/

=Kamakzy56=

Tim B.

2009-07-26, 07:17 AM
From memory the cookie value is stored in the database as the admins user-name and their password then MD5 encrypted and then encrypted with a login key so in order for them to bake a cookie they would first need to know your logins then hack the database to get that login key. In other words it would be easier for them to log in because obviously if they are able to do that then they would have to know your login details any way.

Don't take my 100% word for this as i only remember from some work i was doing back on 1.2 but i am pretty sure it is something like that.

kamakzy56

2009-07-26, 06:07 PM
(2009-07-26, 07:17 AM)_Tim Wrote: [ -> ]From memory the cookie value is stored in the database as the admins user-name and their password then MD5 encrypted and then encrypted with a login key so in order for them to bake a cookie they would first need to know your logins then hack the database to get that login key. In other words it would be easier for them to log in because obviously if they are able to do that then they would have to know your login details any way.

Don't take my 100% word for this as i only remember from some work i was doing back on 1.2 but i am pretty sure it is something like that.

Well I was able to in-fact get the Md5 password hash from the cookie and was unsuccessful in a decryption, but they still would be able to get the passwords of pretty much any of my members (if they used a basic password like pass or password1) If what you said about the MD5 hashes being salted is true then I have nothing to fear but if not then this is kinda a major security hole is it not? o.O

frostschutz

2009-07-26, 08:22 PM
The password hashes of MyBB are salted. See the user table, there are two fields, loginkey and salt.

loginkey = md5(md5(salt)+md5(password))

So if all you have is the loginkey, going back to the password is not that easy.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > Security Question