VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 5, 2018· Updated Aug 5, 2024

CVE-2018-15681

CVE-2018-15681

Description

In XBTIT 2.5.4, password hash stored in non-HTTPOnly cookie with predictable salt allows attackers to brute-force cleartext password after stealing cookie.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In XBTIT 2.5.4, password hash stored in non-HTTPOnly cookie with predictable salt allows attackers to brute-force cleartext password after stealing cookie.

Vulnerability

In BTITeam XBTIT version 2.5.4, upon user login, the password hash is rehashed using a predictable salt and stored in the "pass" cookie. The cookie is not flagged as HTTPOnly, making it accessible to client-side scripts. [1]

Exploitation

An attacker must first steal the "pass" cookie, typically via cross-site scripting (XSS) or other means such as network interception. Once the cookie is obtained, the attacker can efficiently brute-force the hash due to the weak and predictable salt, recovering the user's cleartext password.

Impact

Successful exploitation results in the attacker gaining the user's cleartext password, leading to full account compromise. This can enable further attacks on the platform, including privilege escalation or data theft.

Mitigation

No official patch has been released as of the publication date. Users should consider upgrading to a newer version if available, or implement additional protections such as making cookies HTTPOnly and using a stronger, unpredictable salt. The vendor may have addressed this in later versions; check for updates.

References
  1. Multiple Vulnerabilities in XBTIT Torrent Tracker | rastating.github.io

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Bti Tracker/Xbtitinferred2 versions
    = 2.5.4+ 1 more
    • (no CPE)range: = 2.5.4
    • (no CPE)range: == 2.5.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application stores a password hash in a cookie using a weak and predictable numeric salt (six digits, 100000–999999), and the cookie lacks the HTTPOnly flag, enabling offline brute-force recovery of the cleartext password."

Attack vector

An attacker who can steal the "pass" cookie (e.g., via cross-site scripting or by intercepting an unencrypted connection) obtains a value of the form `{rnd}{md5_hash}{rnd}`, where `rnd` is a six-digit numeric salt between 100000 and 999999 and `md5_hash` is the MD5 of the user's plaintext password. Because the salt is drawn from only 900,000 possible values, the attacker can brute-force the cookie offline: for each candidate salt, strip the first and last six digits to recover the inner MD5 hash, then look up that hash against a wordlist to recover the cleartext password. The researcher's PoC demonstrates generating all permutations of `{rnd}{hash}{rnd}` for a wordlist, and the advisory shows recovering the plaintext password "toor" from the cookie value in negligible time [ref_id=1].

Affected code

The vulnerability is in the login mechanism of BTITeam XBTIT 2.5.4. When a user logs in, the application rehashes the user's password hash using a predictable salt (a six-digit numeric value between 100000 and 999999) and stores the result in the "pass" cookie. The cookie is not flagged as HTTPOnly, making it accessible to client-side scripts.

What the fix does

The advisory recommends that within the security suite settings, the administrator choose "New xbtit (Session)" as the cookie type to remove the hash from the cookie entirely [ref_id=1]. This change invalidates all existing sessions and requires users to log back in. No source-code patch is provided in the bundle; the remediation is a configuration change that eliminates the exposure of the password hash in the cookie.

Preconditions

  • networkAttacker must be able to steal the 'pass' cookie (e.g., via XSS, network interception, or physical access to the victim's browser).
  • configThe XBTIT application must be configured to use the vulnerable cookie-based authentication method (not 'New xbtit (Session)').

Reproduction

1. Log in to XBTIT 2.5.4 and capture the "pass" cookie value. 2. Use the researcher's PoC script (or equivalent) to generate all permutations of `{rnd}{md5_hash}{rnd}` for a wordlist of candidate passwords, where `rnd` ranges from 100000 to 999999. 3. Match the captured cookie value against the generated permutations to recover the inner MD5 hash. 4. Look up the MD5 hash against the original wordlist to obtain the cleartext password [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.