The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!
UserSpice   ›   Support Center   ›   UserSpice 4.3 and Below   ›   4.3.24 Vulnerabilities

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
4.3.24 Vulnerabilities
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#3
06-13-2018, 11:03 AM
Regarding the second vulnerability, we're going to fix it, but I'd like to point out a tech note. Because of the way our passwords are stored in the database, even figuring out someone's username, does not make brute forcing someone's password trivial or fast (unless they use a really common stupid one). The whole $2y$12 thing at the beginning of our passwords means that the server needs to do a LOT of work to check a password. It's impossible to speed that up. It doesn't make our sites completely brute force proof, but it takes long enough per guess that it's very brute force resistant. Also, if you change the 12 to 13 on your password hashing it makes it take twice as long and 14 is twice as long as 13.
  Reply


Messages In This Thread
4.3.24 Vulnerabilities - by Gok - 06-13-2018, 05:12 AM
4.3.24 Vulnerabilities - by Brandin - 06-13-2018, 10:00 AM
4.3.24 Vulnerabilities - by mudmin - 06-13-2018, 11:03 AM
4.3.24 Vulnerabilities - by Brandin - 06-18-2018, 09:21 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)