Re: [dev] [PATCH] [ubase] Simplify login

From: Roberto E. Vargas Caballero <>
Date: Wed, 4 Jun 2014 19:24:40 +0200

> > Before he gets in, he still has to run a brute-force/dictionary-att. on
> > all users. He wouldn't have much time if the admins have done their
> > jobs.
> Well no. Think about sysadmins who have to allow users to run crappy
> PHP code on a shared server (so glad I'm not one of those people at
> the moment). An attacker can execute commands as a web user,
> probably far easier than brute-forcing an initial login. If they can
> then just copy a world readable /etc/passwd, they can do all the
> hash cracking offline. Which isn't possible if there's a /etc/shadow

This reminds me this document [1], which explains how some guys defeated server long, long time ago. Very good.


Roberto E. Vargas Caballero
Received on Wed Jun 04 2014 - 19:24:40 CEST

This archive was generated by hypermail 2.3.0 : Wed Jun 04 2014 - 19:36:06 CEST