Skip Menu |
 

This queue is for tickets about the Authen-Simple CPAN distribution.

Report information
The Basics
Id: 118165
Status: new
Priority: 0/
Queue: Authen-Simple

People
Owner: Nobody in particular
Requestors: wieger+cpanrt [...] a6502.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0
X-Spam-Status: No, score=-1.902 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham
X-Spam-Flag: NO
content-type: TEXT/PLAIN; charset="utf-8"; format="flowed"
Message-ID: <alpine.DEB.2.11.1609301348391.5540 [...] stofzuiger.a6502.net>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-X-Sender: wieger [...] stofzuiger.a6502.net
X-Spam-Score: -1.902
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 0852D240344 for <cpan-bug+Authen-Simple [...] hipster.bestpractical.com>; Fri, 30 Sep 2016 08:11:27 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0t1dWFScu3G for <cpan-bug+Authen-Simple [...] hipster.bestpractical.com>; Fri, 30 Sep 2016 08:11:24 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 569D62401C6 for <bug-Authen-Simple [...] rt.cpan.org>; Fri, 30 Sep 2016 08:11:24 -0400 (EDT)
Received: (qmail 21070 invoked by alias); 30 Sep 2016 12:11:23 -0000
Received: from stofzuiger.a6502.net (HELO stofzuiger.a6502.net) (149.210.166.55) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Fri, 30 Sep 2016 05:11:20 -0700
Received: by stofzuiger.a6502.net (Postfix, from userid 1000) id 719295F7AD; Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by stofzuiger.a6502.net (Postfix) with ESMTP id 685485F7AB for <bug-Authen-Simple [...] rt.cpan.org>; Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
Delivered-To: cpan-bug+Authen-Simple [...] hipster.bestpractical.com
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
Subject: Security weakness in Authen::Simple::Password
Return-Path: <wieger+cpanrt [...] a6502.net>
X-RT-Mail-Extension: authen-simple
X-Original-To: cpan-bug+Authen-Simple [...] hipster.bestpractical.com
X-Spam-Check-BY: la.mx.develooper.com
Date: Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
X-Spam-Level:
To: bug-Authen-Simple [...] rt.cpan.org
From: Wieger Opmeer <wieger+cpanrt [...] a6502.net>
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 627
Download (untitled) / with headers
text/plain 627b
Hi, The check function in Authen::Simple::Password first (line 15) does a "return 1 if $password eq $encrypted". This means that if an attacker has gotten hold of the encrypted passwords he/she can trivially log in by entering the encrypted form of the password. De facto this makes any encryption of the password useless. I think that either the check function should be made configurable and only try the configured methods or at the very least not do the plain password comparison if $encrypted looks like some form of encrypted password. I look forward to hearing your opinion on this. Regards, Wieger Opmeer


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.