Security update (9)
1 Name: !WAHa.06x36 2005-09-12 12:54 ID:Onklm93N
No, it's not actually the mythical Next Update yet. But a little while ago, sophismata alerted me to a weakness in the secure tripcode code, and while I meant to hold off fixing it until the Next Update, I've been putting off doing THAT until I've finished at least the beta version of Xee, and that was taking too much time, so I decided to do a quick fix for this:
http://wakaba.c3.cx/releases/wakaba_2.1.5.zip
http://wakaba.c3.cx/releases/kareha_2.0.4.zip
The only file that has changed is wakautils.pl, so you can just download and install that if you prefer:
http://wakaba.c3.cx/releases/wakautils.zip
I'll leave out the details about this for now to let people upgrade. If you run a board, I do suggest doing this upgrade. If you frequent a board that hasn't been upgraded, you might want to point the admin at this thread. Also, finally, thanks to sophismata for pointing this one out! This is a bit of a quick fix, and I'll make something more solid for the real Next Update.
2 Name: !WAHa.06x36 2005-09-12 14:05 ID:Onklm93N
Word to the wise: Replacing wakautils.pl will only work if you're already running the latest versions (2.1.4 and 2.0.3). I fucked that up myself just now.
4 Name: !WAHa.06x36 2005-09-12 17:01 ID:Onklm93N
http://wakaba.c3.cx/sup/kareha.pl/1122405906 <-- My Mac OS X image viewer.
5 Name: Anonymous 2005-10-19 18:48 ID:PWDg7vAk
age since it ran off the first 40 topics, and waha never explained it
6 Name: &height=16)
2005-10-19 19:01 ID:Heaven
I think I'll leave it until after the Legendary Next Update to give more people a chance to update.
7 Name: Anonymous : 2006-03-03 15:13 ID:IV0/Cgrr
And now months after the Legendary Next Update still no explanation...
8 Name: !WAHa.06x36 : 2006-03-03 17:39 ID:Heaven
Oh, mostly because I forgot all about it.
There was this trick where the RC4 hashing only uses 256 bytes, so you can push the SECRET off the end of the string, and then crack it one letter at a time. This should be sort of obvious from what the update did, though.
9 Name: Anonymous : 2006-03-03 17:57 ID:H6ylhFA6
Sadly people take a long time to update or I would copy/paste my explanation. To state the obvious though SECRET not being secret is a bad thing and you were able to find SECRET in a trivial amount of time.
The 3.0.0 SECRET system is a lot better at not falling totally apart in cases like this (although not ideal).