vortfu

The EQDKP team was notified about a serious vulnerability in their authentication code on April 10th (emphasis on 'notified').... and not only have they not replied to the PMs, they haven't even released a patch so the randoms of the world can sleep better at night.

Retards.

And for everyone using this shit

Retards.

And a special mention for everyone who uses the same DKP password as they do for their account / forum passwords (it has been confirmed how unbelievably fucking funny this is - especially now the cracked hashes are publicly available on Free Rainbow Tables)

Retards++.


And for anyone interested ....




Discuss.
Circle Jerk.

vortfu

Niber

Interesting, but who would go out of their way to crack eqDKP passwords?

__________________

Ambarta

If EQDKP Password = Guild Forum Password (and many do)
Then I guess some people would be interested in having a peak into other guilds forums... or officer sections even.
Call lists.. Strats.. Drama..

__________________

Arlen Bouldersmi

ok - color me niave, but , why the fuck would someone want to raid someone elses forum?? sure - maybe read some shit for giggles, but c'mon is this game that serious to folks that they feel the need to see what uber guild x internal drama is and post it, or steal roster info, or read up on thier leet strats? shit the strats are already posted all over this site. sometimes I am truly amazed by some folks. (now if this was a way to obtain actual account info - then I stand corrected and ill stfu)

__________________
Arlen Bouldersmite
80Guardian LDL
everything you hold dear , life, love and happiness has been bought and paid for by a Soldier. "freedom is never free"

Udoaka

For the lolz!

__________________

Hoss

Well, people are extraordinarily lazy. Thats a fundamental fact of life. So, in all likelihood, there is a large percentage of people who use the exact same login info for the game that they use for everything else game related. Flames, guild websites, eqdps, soe boards, the place we all downloaded our UI from (drawing a blank on the name right now), etc. So yeah, if you could, for instance, easily get the eqdkp login info for 100 people, there would be a good chunk of them that would allow you to log into the game. Not only that, if you cared to follow it up, I bet there'd be a few in that hundred where you could log into their email accounts or work computers. Because people are dumb and hackers exploit that.


-h

__________________
Let us Pray the Pimp's Prayer.
Lord, please pray for the soul of this bitch and guide my pimp hand and make it strong Lord, so that she might learn a hoe's place.

Amen

Johnathon

Well, easiest way to make it harder for someone to screw with your DKP is to setup your admin account to be an arbitrary account number where "1, " . // * user_id does not equal 1.

I would select something very random and in line with everything else. This will deter many 'script kiddies' away. But there are other SQL Injection Exploits that involve eqdkp.

Until they fix listmembers.php, its going to be an ongoing issue. (it has to do with the rank feature within listmembers)

__________________
Sign up and get a free ITOUCH

Pinski

Retards mostly!

__________________

gm9

You don't need to crack anything, you don't even need a brain to use the PoC in the OP and log into any eqdkp installation with admin priviledges and start messing with their data. Might be your own raiders giving themselves more dkp...

The SQL injection via listmembers.php has been fixed long ago. The OP uses SQL injection via cookie data, i.e. the current bug has to be fixed in sessions.php.

__________________

Pinski

Good thing for logs in eqdkp, that most people are too stupid to delete :0

Of course, there's always the SQL database which is the hardest part to delete, since everything you do in eqdkp is logged, so you can easily just recreate everything from that information.

__________________