I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.
The passwords are being hashed locally using MD5 (unsalted):
Code:
onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)"
After this the hash is sent to the server in plaintext:
Code:
Frame 28641: 880 bytes on wire (7040 bits), 880 bytes captured (7040 bits) on interface 0
Ethernet II, Src: AsrockIn_ea:c1:44 (00:34:22:ef:e0:31), Dst: SamsungE_16:36:81 (21:fb:6b:18:16:77)
Internet Protocol Version 4, Src: 192.168.192.37, Dst: 104.25.185.9
Transmission Control Protocol, Src Port: 58448, Dst Port: 80, Seq: 1, Ack: 1, Len: 826
Hypertext Transfer Protocol
POST /bbs/login.php?do=login HTTP/1.1\r\n
Host: www.getdare.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-GB,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Referer: http://www.getdare.com/bbs/\r\n
DNT: 1\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 194\r\n
\r\n
[Full request URI: http://www.getdare.com/bbs/login.php?do=login]
[HTTP request 1/1]
[Response in frame: 28655]
File Data: 194 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "vb_login_username" = "redambergreen"
Form item: "vb_login_password" = ""
Form item: "s" = ""
Form item: "securitytoken" = "guest"
Form item: "do" = "login"
Form item: "vb_login_md5password" = "7a495904a8c0b3e6aabe27440b436c28"
Form item: "vb_login_md5password_utf" = "7a495904a8c0b3e6aabe27440b436c28"
(No, that's not my real hash).
This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network.