[TYPO3-english] TYPO3.ORG hacked

Markus Bucher markus.bucher at bucher-it.de
Fri Nov 14 22:50:11 CET 2008


Good evening Dmitry,

> Was there a real need to post such things right now, when people are
> working hard to recover from the issue?

What exactly is the difference?

For you / for the security team trying to recover:
The bad guy has some kind of passwords. He can tell if these are 
md5-hashed or not. That's it. He (or she) has no advantage if this 
information becomes public right now.

For you / us / everyone having an account at typo3.org:
We want to find out how severe this case is. Eiter

"Someone knows the exact phrase my password was and can use this in 
_any_ webapplication"

or

"Someone knows the md5-hash of my password and can send this to any 
webapplication that uses md5-hashed passwords and that accepts 
md5-hashes instead of transmitted plaintext."

This is a big difference to me.

Please, make me wiser. Why does nobody tell us this bit of information?

Not shouting, just wondering. Markus


More information about the TYPO3-english mailing list