Skip Menu |
 

This queue is for tickets about the Authen-Simple CPAN distribution.

Report information
The Basics
Id: 118165
Status: new
Priority: 0/
Queue: Authen-Simple

People
Owner: Nobody in particular
Requestors: wieger+cpanrt [...] a6502.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Security weakness in Authen::Simple::Password
Date: Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
To: bug-Authen-Simple [...] rt.cpan.org
From: Wieger Opmeer <wieger+cpanrt [...] a6502.net>
Download (untitled) / with headers
text/plain 627b
Hi, The check function in Authen::Simple::Password first (line 15) does a "return 1 if $password eq $encrypted". This means that if an attacker has gotten hold of the encrypted passwords he/she can trivially log in by entering the encrypted form of the password. De facto this makes any encryption of the password useless. I think that either the check function should be made configurable and only try the configured methods or at the very least not do the plain password comparison if $encrypted looks like some form of encrypted password. I look forward to hearing your opinion on this. Regards, Wieger Opmeer


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.