Newbee Mall Unsalted MD5 Password Hashing Vulnerability Allows Offline Credential Cracking

A vulnerability exists in Newbee Mall versions through 1.0.0, where user passwords are stored and verified using an unsalted MD5 hashing algorithm. This implementation lacks per-user salts and computational cost controls, allowing attackers to quickly recover plaintext passwords from hashed credentials obtained through database exposure, backup leaks, or other compromise vectors. The vulnerability is exacerbated by the presence of default admin accounts with known passwords, facilitating full admin compromise.

Impact

Exploitation of this vulnerability allows for rapid offline cracking of password hashes, enabling unauthorized access to user accounts, including admin privileges.

Reproduction

To reproduce this vulnerability, initialize a Newbee Mall deployment that uses the default database schema. This will seed the database with admin accounts that have default passwords. Once the application is running, password hashes can be extracted from the database. Due to the unsalted MD5 hashing, these hashes can be easily cracked offline, especially since identical passwords produce the same hash.