| |
|
M_DCad
Posts: 1/17
Bugernaut baby
Location: Calgary
[E-mail]
[AIM]
Last Activity: 8217 day(s) and 10 hour(s) ago
Registered: Jan 9 2003 |
| Posted on 01/09/2003 at 04:25:55AM |
Quote |
|
| Bug 1:
------------
Problem: Welcome email has an invalid verification URL.
Solution: "/newgba/" in URL has to be changed to "/gba/"
Bug 2:
------------
Problem: A more serious security hole this time. The hash for the verification URL is simply a person's username + password hashed using the MD5 algorithm. This is stupid, stupid programming that basically makes email verification pointless.
Solution 1: Scramble the string somehow before hashing it with MD5... Or, better yet, use a completely random string.
Solution 2: Randomly generate new users' passwords and send them in the welcome email instead.
-----------
-M_DCAD | | |
@kiwibonga
I own two websites now. It sucks. :P
Posts: 220/717
The President of Spainmark
Location: Montreal, Quebec, Canada
[E-mail]
[AIM]
Last Activity: 2981 day(s) and 20 hour(s) ago
Registered: Sep 16 2002 |
| Posted on 01/10/2003 at 01:45:43AM |
Quote |
|
| | Kiwibonga | Maybe the reason nobody liked you on the front page is because you're kind of giving orders to people, or have this serious tone that, even though you seem of noble intention, feels like you're looking down on people or something ("stupid, stupid programming for instance" -- how about "everyone makes mistakes"?)...
That registration bug was fixed yesterday.
And you're right, I did forget to change the username+password thing, but it wasn't "stupid, stupid programming," because it was a nice way to get unique verification strings.
-----------
Happiness. |
| | |
M_DCad
Posts: 7/17
Bugernaut baby
Location: Calgary
[E-mail]
[AIM]
Last Activity: 8217 day(s) and 10 hour(s) ago
Registered: Jan 9 2003 |
| Posted on 01/10/2003 at 02:21:26AM |
Quote |
|
| One-liner reply: Well, you can consider it a response to calling me a creep.
Long reply: Geez, did I ever call YOU stupid for making these mistakes? I said this particular bug was stupid programming, which it most definitely is since it defeats the purpose of account verification in the first place, but it's not like you're the only one who makes this mistake. Even the expensive, $200/year per license message boards have bugs like this. (To this day, UBB Classic has numerous XSS vulnerabilities AND stores user passwords in plain text cookies... A VERY bad combination.) Ok, so Infopop's programmers ARE morons, but anyway...
For having such an Advanced Ass and all, you sure are sensitive to these vaguely offensive chidings. o_O
-----------
-M_DCAD | | |
@kiwibonga
I own two websites now. It sucks. :P
Posts: 223/717
The President of Spainmark
Location: Montreal, Quebec, Canada
[E-mail]
[AIM]
Last Activity: 2981 day(s) and 20 hour(s) ago
Registered: Sep 16 2002 |
| Posted on 01/10/2003 at 02:36:24AM |
Quote |
|
| | Kiwibonga | "I'm the boss, it doesn't have to make sense" :)
-----------
Happiness. |
| | |
| |
|