[TYPO3-english] TYPO3.ORG hacked
Markus Bucher
markus.bucher at bucher-it.de
Fri Nov 14 22:50:11 CET 2008
Good evening Dmitry,
> Was there a real need to post such things right now, when people are
> working hard to recover from the issue?
What exactly is the difference?
For you / for the security team trying to recover:
The bad guy has some kind of passwords. He can tell if these are
md5-hashed or not. That's it. He (or she) has no advantage if this
information becomes public right now.
For you / us / everyone having an account at typo3.org:
We want to find out how severe this case is. Eiter
"Someone knows the exact phrase my password was and can use this in
_any_ webapplication"
or
"Someone knows the md5-hash of my password and can send this to any
webapplication that uses md5-hashed passwords and that accepts
md5-hashes instead of transmitted plaintext."
This is a big difference to me.
Please, make me wiser. Why does nobody tell us this bit of information?
Not shouting, just wondering. Markus
More information about the TYPO3-english
mailing list