Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
We should have to type 'old' password to choose a new one.
Posted by: nrg
Date: October 20, 2006 10:28AM

I think you should make it so people would need to put the 'old' password before choosing the new one. The current way isn't it possible to anyone to change my password just by making me see a page like sla.ckers.org/forum/control.php?password=ilovecheese (just an example)

If i'm wrong please tell me why.
ty

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: rsnake
Date: October 20, 2006 10:34AM

I suppose it's possible. I pretty much assume everyone on this board protects themselves from exploitation, given the subject matter, and it is strictly against the rules of the board to haX0r one another. That link didn't do anything anyway. ;) My password is still X0m8c0*b{ er...

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: maluc
Date: October 20, 2006 06:22PM

well for the sake of the long term.. it's probably worth adding a current pass check. Not that i'm worried anyone here would try to change my password _-_

Just because car theft is illegal, doesn't mean it's wise to leave them unlocked ..

-maluc

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: Spikeman
Date: October 23, 2006 03:45AM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://sla.ckers.org/forum/control.php&panel=password&forum_id=0&password=haxed&password2=haxed

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: WhiteAcid
Date: October 23, 2006 06:07AM

HAHAHAHA. well done.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: lpilorz
Date: October 23, 2006 08:53AM

I did not check, but I'm pretty sure it works. My bet is that rsnake was aware of it for a long time, but believed everyone here will obey the rules ;)

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: rsnake
Date: October 23, 2006 11:23AM

Yes, I am/was well aware of it. Ugh... mostly I was hoping I wouldn't have to get off my ass and fix it. I'll have to find some time this week. I hate fixing other people's crappy code.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Date: October 23, 2006 09:37PM

Security by obscurity at its finest. :-)

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: rsnake
Date: October 23, 2006 10:18PM

Hardly obscured... security by having a very full time day job, a gfnd, a very time consuming part time hobby... eesh! Where do I find the time?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: nrg
Date: October 24, 2006 01:10PM

I'm preaty sure you can fix this single "bug" in 5 minutes rsnake but it also should work for email/sig changing, posting etc. So there should be a random identifier for the user session required for every action :F

Someone could do this: make it pm the "hacker" with something so he knows who he has owned, and also change the person email to something so the other person can't retrieve the password :w00t:

--
http://chasenet.org/home/

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: rsnake
Date: October 24, 2006 04:18PM

Actually wouldn't that be an interesting service to provide? Nonces in a secured environment via a third party? Vaguely difficult to implement but could take a lot of the leg work out of it for small companies who don't know how to fix it themselves.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: maluc
Date: January 13, 2009 08:07PM

Finally got around to fixing. Simply requires the old password.. as I am too lazy to build in a nonce framework.

-maluc

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Date: January 23, 2009 11:34AM

I don't see the point of this when the site doesnt use encrypted login connections so your password is sent in plain-text so requiring old password to change password is well pointless in my opinion unless its just in place to protect against CSRF.

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: backbone
Date: January 23, 2009 01:19PM

@CrYpTiC_MauleR: I think that is exactly why the request has been made :). To prevent CSRF.

---
blog [-] microblog

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: id
Date: January 23, 2009 03:06PM

At one point I bought a SSL Cert for this domain, but I forget where I put it...someday, when I get a sysadmin to do shit like that I'll make sla.ckers SSL...

-id

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Date: January 23, 2009 07:30PM

I hear RapidSSL is giving a discount on MD5 signed certs. Hurry on over!

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: Rodercrown
Date: May 06, 2009 08:19PM

I don't see the point of this when the site doesnt use encrypted login connections so your password is sent in plain-text so requiring old password to change password is well pointless in my opinion.

Make Money From Home Spam



Edited 1 time(s). Last edit at 05/06/2009 10:36PM by thrill.

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: PaPPy
Date: May 07, 2009 12:35PM

CSRF? hey check out this blog, (and turn off ur no script) and ignore my hidden iframe to change ur password

i dont know if slackers has csrf protection as i havent tried messing around
so if they do ignore my ramblings

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: We should have to type 'old' password to choose a new one.
Posted by: Anthem
Date: June 08, 2009 10:26PM

Trust is a funny thing...

I trust most of you. I don't ask the same back, not that I could do anything.

--
Can you hear them?

So much to learn, so little time...

Options: ReplyQuote


Sorry, only registered users may post in this forum.