The Castle Doctrine Forums

Discuss the massively-multiplayer home defense game.

You are not logged in.

#1 2015-04-09 08:18:38

jasonrohrer
Administrator
Registered: 2013-04-01
Posts: 1,235

Forum security hole

See here:

https://fluxbb.org/development/core/tickets/990/

After repeatedly having someone come in here and change MY password on my behalf (they never did anything after changing it), I was motivated to upgrade the forums.

Anyway, some of you may find that you can't login with your password and will need to reset your password.  As far as I'm aware, my account was the only one targeted.  Got a Mail Delivery error when someone tried to change their email to:

7c4a8d09ca3762af61e59520943dc26494f8941b'/**/where/**/id=2#@1i3xlmk.tns.re

id=2 is me, of course.

This was NOT a breech where your password or hashed password was leaked.  It was just a case where the attacker could inject a new hashed password for a chosen account into the database.



But... after looking at the source, I've realized that passwords are stored SHA1-hashed in the database without a salt.  Jeez... salting password hashes has been best practice for decades now.  Dev says it won't be fixed until v2.0.

Anyway, beware...

Either use a really good password here that can't be cracked by a rainbow table, or use a throw-away password that you don't care about.

Offline

#2 2015-04-09 18:38:36

fromthemars
Member
Registered: 2015-03-22
Posts: 1

Re: Forum security hole

Ya, I'm sorry.

You're lucky there's this function in FluxBB to check email adresses for validity:

function is_valid_email($email)
{
                if (strlen($email) > 80)
                                        return false;

                return preg_match('%^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|("[^"]+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$%', $email);
}

;-P

See Email for further details.

cheers

Offline

#3 2015-04-10 11:30:36

Frosty
Member
Registered: 2014-03-04
Posts: 38

Re: Forum security hole

Thanks for the info, password changed! smile

Offline

Board footer

Powered by FluxBB 1.5.8