+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: 4.3.24 Vulnerabilities (/showthread.php?tid=1076)
4.3.24 Vulnerabilities - Gok - 06-13-2018
Hello
New version release anytime soon for these?
https://packetstormsecurity.com/files/148107/userspice4324-enumerate.txt?utm_source=dlvr.it&utm_medium=twitter
https://www.exploit-db.com/exploits/44871/
4.3.24 Vulnerabilities - Brandin - 06-13-2018
Hi Gok,
We will be working on patching these soon.
Fortunately the first one relies on you providing someone with Administrator access.
Thank you,
Brandin.
4.3.24 Vulnerabilities - mudmin - 06-13-2018
Regarding the second vulnerability, we're going to fix it, but I'd like to point out a tech note. Because of the way our passwords are stored in the database, even figuring out someone's username, does not make brute forcing someone's password trivial or fast (unless they use a really common stupid one). The whole $2y$12 thing at the beginning of our passwords means that the server needs to do a LOT of work to check a password. It's impossible to speed that up. It doesn't make our sites completely brute force proof, but it takes long enough per guess that it's very brute force resistant. Also, if you change the 12 to 13 on your password hashing it makes it take twice as long and 14 is twice as long as 13.
4.3.24 Vulnerabilities - Brandin - 06-18-2018
These were resolved with the most recent update.