Hi guys.
I am suspecting about b2evo login validation. I was wondering about the encryption algorithm of b2evo. I saw the codes in register.php its just using a normal md5 encryption But its using a sha1 session validation.
If someone has a unsecured php codes like vulnerable to Mysql injection or RFI together with b2evolution (example http://victim.com/MAINCMS and http://victom.com/B2VO). The B2evolution database could be cracked easily using some kind of a md5 crack or online md5 cracker like hashkiller.
I was wondering if its possible that B2evo V4 will be using more secure hash algorithm like $md5(md5($salt).md5($pass)) in the file register.php
Please correct me if im wrong.
Thanks
General Support
b2evolution CMS Support Forums
This doesn't make much difference since $salt must have some fixed value in order for b2evo to compare user passwords.
If a hacker dumps the database he/she will get the $salt value too. It will take just a minute for hacker to modify the brute-force script for "$md5(md5($salt).md5($pass))" scheme.
This modification may only protect from script kiddies ;)