Skip Menu |

This queue is for tickets about the Authen-Simple CPAN distribution.

Report information
The Basics
Id: 118165
Status: new
Priority: 0/
Queue: Authen-Simple
People
Owner: Nobody in particular
Requestors: wieger+cpanrt [...] a6502.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Sep 30 08:11:28 2016 wieger+cpanrt [...] a6502.net - Ticket created
Subject: Security weakness in Authen::Simple::Password
Date: Fri, 30 Sep 2016 14:11:12 +0200 (CEST)
To: bug-Authen-Simple [...] rt.cpan.org
From: Wieger Opmeer <wieger+cpanrt [...] a6502.net>
Hi, The check function in Authen::Simple::Password first (line 15) does a "return 1 if $password eq $encrypted". This means that if an attacker has gotten hold of the encrypted passwords he/she can trivially log in by entering the encrypted form of the password. De facto this makes any encryption of the password useless. I think that either the check function should be made configurable and only try the configured methods or at the very least not do the plain password comparison if $encrypted looks like some form of encrypted password. I look forward to hearing your opinion on this. Regards, Wieger Opmeer