CVE-2006-4068
published 2006-08-10CVE-2006-4068: The pswd.js script relies on the client to calculate whether a username and password match hard-coded hashed values for a server, and uses a hashing scheme…
PriorityP425medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
2.68%
84.0th percentile
The pswd.js script relies on the client to calculate whether a username and password match hard-coded hashed values for a server, and uses a hashing scheme that creates a large number of collisions, which makes it easier for remote attackers to conduct offline brute force attacks. NOTE: this script might also allow attackers to generate the server-side "secret" URL without determining the original password, but this possibility was not discussed by the original researcher.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Reliance on Security Through Obscurity
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-656 Reliance on Security Through Obscurity
CWE-656: Reliance on Security Through Obscurity
The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.
This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Confidentiality,
CWE
Use of Weak Hash
mitre_cwe
CWE-328 Use of Weak Hash
CWE-328: Use of Weak Hash
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
A hash function is defined as an algorithm that maps arbitrarily sized data into a fixed-sized digest (output) such that the following properties hold: The algorithm is not invertible (also called "one-way" or "not reversible") The algorithm is deterministic; the same input produces the same digest every time Building on this definition, a cryptographic hash function must also ensure that a malicious actor
2006-08-10
Published