Moderators: OldWolf, re*s.t.a.r.s.*2
xgamer224 wrote:Hey very nice! The only problem I can find is that it is very easy for people to locate the password salt/encryption thing.... It took me about 5 mins total to find then de-activate it.... This could be a potential problem for people who attempt to use this for malicious purposes.... But there isn't much you can do about that.... So, all and all, its an extremely good addition to the program.
re*s.t.a.r.s.*2 wrote:Hi,
Appreciate your comment, it would be nice if you give us more info of what you done to get that conclusion..
The encryption of the hash function are weak , although i am not using md5 , sha1() can be decrypted easily too..
To decrypt the hash you need to have access to the database, if you do, the server is already compromised... so decrypting the hash is pointless because we know is easy to do..
What is needed to take care is that nobody has access to the script and change alter things server side or at code level.. because that's how you hack a script..
Did you brute force or just reverted the has set in the database?.
if you see a weak spot on the Code let me know.
Thanks appreciate it.
Regards Utan
re*s.t.a.r.s.*2 wrote:Hi,
Thats true, this could happens for any login system , you have as website owner the opportunity to use as you like, is up to you if its going to be use as it was intended or not.
Make harder to decrypt is possible chaging the use of sha1 and making the salt more ramdon would help
But would make more slower, point is all the know hash functioncan be easily decrypted..
No much to do on that regard..
Appeciate your aclaration..
Best wishes.
xgamer224 wrote:re*s.t.a.r.s.*2 wrote:Hi,
Appreciate your comment, it would be nice if you give us more info of what you done to get that conclusion..
The encryption of the hash function are weak , although i am not using md5 , sha1() can be decrypted easily too..
To decrypt the hash you need to have access to the database, if you do, the server is already compromised... so decrypting the hash is pointless because we know is easy to do..
What is needed to take care is that nobody has access to the script and change alter things server side or at code level.. because that's how you hack a script..
Did you brute force or just reverted the has set in the database?.
if you see a weak spot on the Code let me know.
Thanks appreciate it.
Regards Utan
No there isn't a weak spot. I just mean that someone who owns a website could use this login interface as some kind of phishing scam. I mean, the admin already gets the user's email address, and he wouldn't even have to decrypt the password if he just slightly edited the code. But, obviously, it isn't your problem.... I'm just saying that you may want to make it slightly harder to decrypt and harder to remove the encryption in the code. Just a recommendation.
$chatChannel = array('Pfc chat'); // N_V- set the name of the room put it between ('hello','room')
$chatChannel = array('Pfc chat','the name of my chat room'); // N_V- set the name of the room put it between ('hello','room')
Is it permitted to change the 'Pfc Login System' logo at the top? I wish to change it to the logo for my group.
Return to Contributions (v1.x)
Users browsing this forum: No registered users and 2 guests