geteso.org updated to pre-release 2

Tags
news passwords releases security updates 
Labels
Members allowed to view this conversation
Everyone

admin

2 weeks ago (edited by admin 2 weeks ago) Administrator

I have updated the website to p.2 of the forum software which includes several bug fixes and security improvements. One of the biggest changes I have made to the forum involves the hashing of users' credentials, because the forum's generated salt previously existed as a global configuration variable that was applied to each user. I have added a "salt" field to the et_members table of the database which acts as a string that is unique to each user and is regenerated whenever they request a new password.

I've also made several improvements to the code quality of the software by checking for extension compliancy and eliminating a couple of warnings that have persisted with unvalidated users (see this conversation where I talk about the bug).

In order to benefit from the new hashing method you must change your password so that the forum can generate a new salt for you. The only alternative would be for me to get rid of the "global" salt that was previously used on this forum which would have required every user to go through the process of resetting their password or being locked out of their account. Once again, if you can't access your account for any reason, please send me an e-mail and follow the same procedure as mentioned here.


Very nice. I changed my password to the same thing it already was. I believe that worked.


Huh, that's great

But… was the aggressive rollback necessary? (Just asking)


0V3R_L0RD - go to this post

But… was the aggressive rollback necessary? (Just asking)

There wasn't any roll back, the forum has just been offline for a while.


Moriarty - go to this post

There wasn't any roll back, the forum has just been offline for a while.

Huh, well that happened

Also, what the hell happened to BrandBox? Was there a reason for his suspension?


admin

2 weeks ago Administrator

0V3R_L0RD - go to this post

Also, what the hell happened to BrandBox? Was there a reason for his suspension?

BrandBox hasn't been suspended but his account has. Until he can regain control of his account (reset his password with the steps mentioned above) I've kept it from being used to spam the forum.


admin - go to this post

BrandBox hasn't been suspended but his account has. Until he can regain control of his account (reset his password with the steps mentioned above) I've kept it from being used to spam the forum.

Wait, someone got to BrandBox's account and started spamming?


admin - go to this post

I have updated the website to p.2 of the forum software which includes several bug fixes and security improvements. One of the biggest changes I have made to the forum involves the hashing of users' credentials, because the forum's generated salt previously existed as a global configuration variable that was applied to each user. I have added a "salt" field to the et_members table of the database which acts as a string that is unique to each user and is regenerated whenever they request a new password.

I've also made several improvements to the code quality of the software by checking for extension compliancy and eliminating a couple of warnings that have persisted with unvalidated users (see this conversation where I talk about the bug).

In order to benefit from the new hashing method you must change your password so that the forum can generate a new salt for you. The only alternative would be for me to get rid of the "global" salt that was previously used on this forum which would have required every user to go through the process of resetting their password or being locked out of their account. Once again, if you can't access your account for any reason, please send me an e-mail and follow the same procedure as mentioned here.

Why don't you set all the unset salts to the "global" salt so people don't need to reset their passwords? Also, why did i get 81 emails from your site trying to reset my password?

Additionally, why is the site so barebones now? I can't change my avatar, can't set darkmode, can't set my theme, and there's no shouts


admin

Last week Administrator

freshlycutgrass - go to this post

Why don't you set all the unset salts to the "global" salt so people don't need to reset their passwords? Also, why did i get 81 emails from your site trying to reset my password?

The global salt was changed to a new, randomly generated string used in the database as an additional security measure because of the insecurity of using a global salt in the first place and to prevent any users that signed up from when that method was in place from having their accounts compromised in the future.

As for the e-mail spam, somebody has been doing just that: spamming the "forgot my password" form. I have been making changes to the software by adding flood control measures to the login form and will soon be extending what I've done to the forgot my password form. :)


admin - go to this post

The global salt was changed to a new, randomly generated string used in the database as an additional security measure because of the insecurity of using a global salt in the first place and to prevent any users that signed up from when that method was in place from having their accounts compromised in the future.

As for the e-mail spam, somebody has been doing just that: spamming the "forgot my password" form. I have been making changes to the software by adding flood control measures to the login form and will soon be extending what I've done to the forgot my password form. :)

How did they get my emailing address?


0V3R_L0RD

Last week (edited by 0V3R_L0RD Last week)

freshlycutgrass - go to this post

How did they get my emailing address?

Someone copied your username, and wanted to access your profile by spamming "forgot my password", that's how akefu did it with BrandBox (if I'm correct, if not, someone tell me)

In fact, I bet it WAS Akefu, who noticed some sort of loop-hole and was exploiting it for his spamming shenanigans


admin

Last week Administrator

0V3R_L0RD - go to this post

Someone copied your username, and wanted to access your profile by spamming "forgot my password", that's how akefu did it with BrandBox (if I'm correct, if not, someone tell me)

No.

freshlycutgrass - go to this post

How did they get my emailing address?

They didn’t. From what I have heard everybody has received an e-mail address including non-existent e-mails. I have disabled the form to prevent it from being spammed further until I add flood prevention to the software.


admin - go to this post

No.

They didn’t. From what I have heard everybody has received an e-mail address including non-existent e-mails. I have disabled the form to prevent it from being spammed further until I add flood prevention to the software.

That doesn't answer my question. "Everybody has received an E-mail address" makes no sense either. How did they get the list of emails including every single active member of the forum to input into the forgot password page? My email has been in no database leaks, and is a new one, too, so how did they get it?


admin

Last week (edited by admin Last week) Administrator

freshlycutgrass - go to this post

That doesn't answer my question. "Everybody has received an E-mail address" makes no sense either. How did they get the list of emails including every single active member of the forum to input into the forgot password page? My email has been in no database leaks, and is a new one, too, so how did they get it?

Without sounding condescending, here is an explanation I wrote that is from a Discord server about geteso:

Even if somebody spammed the forgot password field they would not discover "your" e-mail because that field will not reveal which e-mail address belongs to you. If somebody is trying to brute force that field and they make a "hit," they will not discover somebody's username in connection with an address; an attacker will only send out an e-mail to all they know is some confused user wondering why they just received a password change request.

freshlycutgrass

Last week (edited by freshlycutgrass Last week)

admin - go to this post

Without sounding condescending, here is an explanation I wrote that is from a Discord server about geteso:

Even if somebody spammed the forgot password field they would not discover "your" e-mail because that field will not reveal which e-mail address belongs to you. If somebody is trying to brute force that field and they make a "hit," they will not discover somebody's username in connection with an address; an attacker will only send out an e-mail to all they know is some confused user wondering why they just received a password change request.

But you didn't answer the question you retard. Where did they get everyone's email in the first place? It doesn't matter if they don't know who's it is, how did they get them?


freshlycutgrass - go to this post

But you didn't answer the question you retard. Where did they get everyone's email in the first place? It doesn't matter if they don't know who's it is, how did they get them?

why the anger? and did you read the message? it talks about brute-force attacks so i would guess that thats what happened


Hey! You need to log in or create an account to do anything on this forum.