Skip Menu |

This queue is for tickets about the Authen-Simple CPAN distribution.

Report information
The Basics
Id: 118165
Status: new
Priority: 0/
Queue: Authen-Simple

Owner: Nobody in particular
Requestors: wieger+cpanrt [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

MIME-Version: 1.0
X-Spam-Status: No, score=-1.902 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham
X-Spam-Flag: NO
content-type: TEXT/PLAIN; charset="utf-8"; format="flowed"
Message-ID: <alpine.DEB.2.11.1609301348391.5540 [...]>
X-Virus-Scanned: Debian amavisd-new at
X-X-Sender: wieger [...]
X-Spam-Score: -1.902
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0852D240344 for <cpan-bug+Authen-Simple [...]>; Fri, 30 Sep 2016 08:11:27 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id d0t1dWFScu3G for <cpan-bug+Authen-Simple [...]>; Fri, 30 Sep 2016 08:11:24 -0400 (EDT)
Received: from ( []) by (Postfix) with SMTP id 569D62401C6 for <bug-Authen-Simple [...]>; Fri, 30 Sep 2016 08:11:24 -0400 (EDT)
Received: (qmail 21070 invoked by alias); 30 Sep 2016 12:11:23 -0000
Received: from (HELO ( by (qpsmtpd/0.28) with ESMTP; Fri, 30 Sep 2016 05:11:20 -0700
Received: by (Postfix, from userid 1000) id 719295F7AD; Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 685485F7AB for <bug-Authen-Simple [...]>; Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
Delivered-To: cpan-bug+Authen-Simple [...]
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
Subject: Security weakness in Authen::Simple::Password
Return-Path: <wieger+cpanrt [...]>
X-RT-Mail-Extension: authen-simple
X-Original-To: cpan-bug+Authen-Simple [...]
Date: Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
To: bug-Authen-Simple [...]
From: Wieger Opmeer <wieger+cpanrt [...]>
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 627
Download (untitled) / with headers
text/plain 627b
Hi, The check function in Authen::Simple::Password first (line 15) does a "return 1 if $password eq $encrypted". This means that if an attacker has gotten hold of the encrypted passwords he/she can trivially log in by entering the encrypted form of the password. De facto this makes any encryption of the password useless. I think that either the check function should be made configurable and only try the configured methods or at the very least not do the plain password comparison if $encrypted looks like some form of encrypted password. I look forward to hearing your opinion on this. Regards, Wieger Opmeer

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to