CVE-2018-15680
Description
BTITeam XBTIT 2.5.4 stores passwords as unsalted MD5 hashes, enabling offline brute-force attacks to recover cleartext credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BTITeam XBTIT 2.5.4 stores passwords as unsalted MD5 hashes, enabling offline brute-force attacks to recover cleartext credentials.
Vulnerability
In BTITeam XBTIT version 2.5.4, user passwords are stored in the xbtit_users table as unsalted MD5 hashes. This design flaw applies to all users and requires no special configuration to be reachable; the hashing method is inherent to the software's authentication mechanism.
Exploitation
An attacker must first obtain the password hashes from the database, for example through SQL injection, database backup exposure, or other means of database access. Once the hashes are acquired, the attacker can perform offline brute-force attacks using widely available tools to recover the original plaintext passwords. No authentication or user interaction is needed for the brute-force step itself.
Impact
Successful exploitation allows the attacker to recover cleartext passwords for any user whose hash is obtained. This can lead to account takeover, including administrative accounts, and subsequent compromise of the torrent tracker's data and functionality.
Mitigation
As of the publication date (2018-09-05), no official patch or fixed version has been released by BTITeam. Users are advised to implement additional security measures such as salting and using a stronger hashing algorithm (e.g., bcrypt) if possible, or to migrate to alternative software that follows current password storage best practices.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 2.5.4+ 1 more
- (no CPE)range: = 2.5.4
- (no CPE)range: =2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Passwords stored as unsalted MD5 hashes in the xbtit_users table, making them trivially reversible via brute-force or precomputed rainbow tables."
Attack vector
An attacker who gains access to the database (e.g., via SQL injection or a breach) can extract the unsalted MD5 hashes from the xbtit_users table [ref_id=1]. Because no salt is used, the attacker can reverse these hashes using precomputed rainbow tables or brute-force attacks to recover the cleartext passwords [ref_id=1]. The advisory notes that even strong passwords require less time to crack compared to intentionally expensive hashing methods [ref_id=1]. Additionally, if an attacker also achieves XSS (CVE-2018-16361), they can steal the pass cookie, which is derived from the unsalted MD5 hash combined with a random number, further enabling password recovery [ref_id=1].
Affected code
The advisory identifies the xbtit_users table as the location where unsalted MD5 password hashes are stored [ref_id=1]. The password field contains MD5 hashes with an empty salt column, as shown in the SQL query output [ref_id=1]. The secsui_pass_type field in the xbtit_settings table controls the hashing scheme but is non-functional for options other than the default in version 2.5.4 [ref_id=1].
What the fix does
The advisory states that XBTIT 2.5.4 includes a security suite setting to choose different hashing schemes, but as of that version, selecting a new option does not work [ref_id=1]. The recommended remediation is to manually edit the secsui_pass_type field in the xbtit_settings table to a value of 6 (the new XBTIT hashing style), which introduces salts [ref_id=1]. No official patch is provided in the advisory; users are advised to update to a version superseding 2.5.4 or apply the referenced patch with caution [ref_id=1].
Preconditions
- authAttacker must obtain database access (e.g., via SQL injection or a data breach) to read the xbtit_users table.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.