Skip Menu |

This queue is for tickets about the CGI-Session-Auth CPAN distribution.

Report information
The Basics
Id: 67977
Status: open
Priority: 0/
Queue: CGI-Session-Auth
People
Owner: geewiz [...] cpan.org
Requestors: cheako [...] mikemestnik.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri May 06 01:11:21 2011 cheako [...] mikemestnik.net - Ticket created
Subject: libcgi-session-auth-dbi-perl: Room for improved security.
Date: Fri, 06 May 2011 00:11:10 -0500
To: bug-CGI-Session-Auth [...] rt.cpan.org
From: Mike Mestnik <cheako [...] mikemestnik.net>
Version: DBI.pm 25 2006-02-21 12:07:26Z geewiz There are 6 bugs here, feel free to clone this or ignore some of these... Just not the bug I'm reporting, The really really really important part, line 106 should be moved down at least 6 lines. The password should not be going anywhere until after it's hashed. Any logs made as a result of this statement would result in the generation of a lookup table matching passwords to hash though user-names to passwords is more accurate. Let me try and be clear on this. The idea of hashing all the passwords is to protect the passwords from any one and every one(including and especially the administrators/owners/operators) who may have access to the stored passwords. It's not likely the stored passwords will be kept in a place less secure then any logs and it's considerably impossible to imagine that crypted passwords would be readable by anyone who would be unable to read the logs and/or activate debugging to create logs. Though it's true every application has a week spot where it's data can be shunted out a backdoor some where, it's not something that should be readily accessible. The purpose being so that users can albeit not safely use the same password to multiple resources without the fear that one admin will use this to gain access to a resource he/she is not entitled. An example being A Yahoo mail user using the same password for a Google Account of some sort, could be Gmail or something else. One day as Yahoo goes out of business they may try there extensive password database against Google accounts to see what's what. Nothing could prevent this, but a good step is to ensure that every or at least as many password database are unusable to any one who may or may not have malicious intent. EncryptPW is not documented. HashPW should be an alias to EncryptPW because [1]md5, the cryptographic hash function, is not Encrypt(ion). CryptPW could also be an alias, though you need to support a lot MORE(DES, MD5, Blowfish, SHA-256, SHA-512, ect) then md5 to be considered a replacement for crypt(). Neither of these functions have much if anything to do with Encryption, though the term One-Way-Encryption was used prior to these functions being named hash functions. 1. http://en.wikipedia.org/wiki/MD5 I say this mainly because MD5 has been made unusable, SHA1 is even becoming less usefull. SHA-256 with support for SHA-512 is where most new deployments and applications should be pointed. The default passwordfield for hashed passwords should be changed, this is to avoid the types of problems typically corrected by "strict vars". On another note: Postgresql has support for a UUID type, detection of this would be great for the userid field. The semantics are simple (Input)INSERT and UPDATE as you do now is transparently supported, though (Output)SELECT is always in the standard form. eg: a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11 It should only take a small bit of code to support this, like s/-//g. -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages libcgi-session-perl depends on: ii perl 5.10.1-17 Larry Wall's Practical Extraction Versions of packages libcgi-session-perl recommends: ii libdbi-perl 1.612-1 Perl Database Interface (DBI) libcgi-session-perl suggests no packages. -- no debconf information
  Thu May 12 00:02:48 2011 cheako [...] mikemestnik.net - Correspondence added
Subject: Re: [rt.cpan.org #67977] AutoReply: libcgi-session-auth-dbi-perl: Room for improved security.
Date: Wed, 11 May 2011 23:02:37 -0500
To: bug-CGI-Session-Auth [...] rt.cpan.org
From: Mike Mestnik <cheako [...] mikemestnik.net>
Here is a patch that addresses some of these issues. --- share/perl/5.10.1/CGI/Session/Auth/DBI.pm 2010-03-03 09:13:24.000000000 -0600 +++ ./lib/site_perl/CGI/Session/Auth/DBI.pm 2011-05-11 22:49:20.000000000 -0500 @@ -61,6 +61,7 @@ # parameter 'EncryptPW': passwords are MD5-encrypted (default 0) $self->{encryptpw} = $params->{EncryptPW} || 0; + $self->{saltencryptpw} = $params->{SaltEncryptPW} || 0; # parameter 'UserTable': name of user data table $self->{usertable} = $params->{UserTable} || 'auth_user'; $self->{usernamefield} = $params->{UsernameField} || 'username'; @@ -103,7 +104,7 @@ my $self = shift; my ($username, $password) = @_; - $self->_debug("username: $username, password: $password"); + $self->_debug("username: $username"); if ($self->{encryptpw}) { $password = $self->_encpw($password); @@ -113,16 +114,26 @@ my $result = 0; my $query = sprintf( - "SELECT * FROM %s WHERE %s = ? AND %s = ?", + "SELECT * FROM %s WHERE %s = ?", $self->{usertable}, $self->{usernamefield}, - $self->{passwordfield}, ); $self->_debug("query: $query"); # search for username my $sth = $self->_dbh->prepare($query); - $sth->execute($username, $password) or croak $self->_dbh->errstr; + $sth->execute($username) or croak $self->_dbh->errstr; if (my $rec = $sth->fetchrow_hashref) { + my $pwhash = $rec->{$self->{passwordfield}}; + { + if ( $self->{saltencryptpw} ) { + require Crypt::SaltedHash; + # TODO the default is 4, I need 16. + last unless Crypt::SaltedHash->validate( $pwhash, $password, + $self->{saltencryptpw}); + } else { + last if ($password ne $pwhash); + } + } $self->_debug("found user entry"); $self->_extractProfile($rec); $result = 1; Base64/BZ2 compressed copy of above patch, with example usage: <<EOF tr -d '\n' | base64 -d | bzcat QlpoOTFBWSZTWTfrs9oAARFfgGcwXv//u//n3oC/7//uUAM5PZRm1T0MJSKelNMaTzKmRkeUaGQG nqMnqGg0GmjwoaNBwDCMJpiGAQDIAYRpkyYRgIaCU0QKaACT0mmQzU0DamgBoZPUAD1AaDJSNAaA DQNNAAAAAAAAAJJCaDQEmKPU9qh6jyNGo9QANGQAAMmlRmbcEzZWax8R2/vDxovJtC9um6J0JwdK oytvJxKSaUYbS3Zu0rgYM4gGDHi3kJ2kMDwnYeDAGCsmmF9bFPKPcWMqLYSEkp8n8Z01c69nyJJD eI0t6Od1kfXh0WQnHpqw8l9rq6NapfXV2+gjXhYlxKjVtgIneM+QqJRd3bj6++Wau2VbFwcI/ORy m81hv3KgNsHJmGSSOJApTIiJU5J0rSqUpCKshr/zxvAZHf7Av9A6SR4MkLNKvkMWp+xR9y1jlZm7 onahSae+W5n7zuNzOpDUNC+aS5WMEFSV/ED0ibkjRW0Np+v2VurJHmy7bwX7c6gw4HLEzPRJNUHq KdFPSoTy5FrsRqHeLrUQpp4m/l53nWjxddNo0b/BmOc6DfwazIa7+1OW7dIOsjiVJvnq/UANAAJv OMm1MjSbojmIJu5hjoJykoILctgimMZeGTFA4gGT2vVxrBVKCUh3zYGj+4WtQpYKIqUDJcvwjlKV Y+zTGmRO1BHhPwSvc6QahnJHqNRymboevkipKWFlgyCaYJh7CcQrys2yJtgG22gxxlU1gnDkBCZ5 YQk3SSwovSmVLEUIRKzfTizNCkcRRwDAuwMdQX9YnM9pOWRbEC6uDNAMIosqU8fDbEGO73ObCGTu JLrtiiCdpfsZf2z4mmGakti7skD5mZGBkxcnoRxTuqBwtIyQe67UwaCy5kinkTCqgNa+YgzxxhoS Gg86AbISpMCP5O0Mr6iQw5MshCysYQQIjUIEXJaEiCoYrHRi8dQJVG6LzKMEmO8RQS6Vexr2B11s 0XoRiv8MgZgyogNUaX3KCFOGA8ikUpmbKYvcsKKaCh8jCehExrkEVTFDzjm6g4QaUw2mhamw3MHa M4cB5CnuXyZVpDIyLQlnALQ20AHSDweuNq8EO/pJDwti/4u5IpwoSBv12e0A EOF
  Thu May 12 00:10:04 2011 cheako [...] mikemestnik.net - Correspondence added
Subject: Re: [rt.cpan.org #67977] AutoReply: libcgi-session-auth-dbi-perl: Room for improved security.
Date: Wed, 11 May 2011 23:09:54 -0500
To: bug-CGI-Session-Auth [...] rt.cpan.org
From: Mike Mestnik <cheako [...] mikemestnik.net>
I'm sooo sorry for the following patch. It works when using the correct password and works using any other password. On 05/11/11 23:02, Mike Mestnik wrote: Show quoted text
> Here is a patch that addresses some of these issues. > > --- share/perl/5.10.1/CGI/Session/Auth/DBI.pm 2010-03-03 > 09:13:24.000000000 -0600 > +++ ./lib/site_perl/CGI/Session/Auth/DBI.pm 2011-05-11 > 22:49:20.000000000 -0500 > @@ -61,6 +61,7 @@ > > # parameter 'EncryptPW': passwords are MD5-encrypted (default 0) > $self->{encryptpw} = $params->{EncryptPW} || 0; > + $self->{saltencryptpw} = $params->{SaltEncryptPW} || 0; > # parameter 'UserTable': name of user data table > $self->{usertable} = $params->{UserTable} || 'auth_user'; > $self->{usernamefield} = $params->{UsernameField} || 'username'; > @@ -103,7 +104,7 @@ > my $self = shift; > my ($username, $password) = @_; > > - $self->_debug("username: $username, password: $password"); > + $self->_debug("username: $username"); > > if ($self->{encryptpw}) { > $password = $self->_encpw($password); > @@ -113,16 +114,26 @@ > my $result = 0; > > my $query = sprintf( > - "SELECT * FROM %s WHERE %s = ? AND %s = ?", > + "SELECT * FROM %s WHERE %s = ?", > $self->{usertable}, > $self->{usernamefield}, > - $self->{passwordfield}, > ); > $self->_debug("query: $query"); > # search for username > my $sth = $self->_dbh->prepare($query); > - $sth->execute($username, $password) or croak $self->_dbh->errstr; > + $sth->execute($username) or croak $self->_dbh->errstr; > if (my $rec = $sth->fetchrow_hashref) { > + my $pwhash = $rec->{$self->{passwordfield}}; > + { > + if ( $self->{saltencryptpw} ) { > + require Crypt::SaltedHash; > + # TODO the default is 4, I need 16. > + last unless Crypt::SaltedHash->validate( $pwhash, $password, > + $self->{saltencryptpw}); > + } else { > + last if ($password ne $pwhash); > + } > + } > $self->_debug("found user entry"); > $self->_extractProfile($rec); > $result = 1; > > Base64/BZ2 compressed copy of above patch, with example usage: > <<EOF tr -d '\n' | base64 -d | bzcat > QlpoOTFBWSZTWTfrs9oAARFfgGcwXv//u//n3oC/7//uUAM5PZRm1T0MJSKelNMaTzKmRkeUaGQG > nqMnqGg0GmjwoaNBwDCMJpiGAQDIAYRpkyYRgIaCU0QKaACT0mmQzU0DamgBoZPUAD1AaDJSNAaA > DQNNAAAAAAAAAJJCaDQEmKPU9qh6jyNGo9QANGQAAMmlRmbcEzZWax8R2/vDxovJtC9um6J0JwdK > oytvJxKSaUYbS3Zu0rgYM4gGDHi3kJ2kMDwnYeDAGCsmmF9bFPKPcWMqLYSEkp8n8Z01c69nyJJD > eI0t6Od1kfXh0WQnHpqw8l9rq6NapfXV2+gjXhYlxKjVtgIneM+QqJRd3bj6++Wau2VbFwcI/ORy > m81hv3KgNsHJmGSSOJApTIiJU5J0rSqUpCKshr/zxvAZHf7Av9A6SR4MkLNKvkMWp+xR9y1jlZm7 > onahSae+W5n7zuNzOpDUNC+aS5WMEFSV/ED0ibkjRW0Np+v2VurJHmy7bwX7c6gw4HLEzPRJNUHq > KdFPSoTy5FrsRqHeLrUQpp4m/l53nWjxddNo0b/BmOc6DfwazIa7+1OW7dIOsjiVJvnq/UANAAJv > OMm1MjSbojmIJu5hjoJykoILctgimMZeGTFA4gGT2vVxrBVKCUh3zYGj+4WtQpYKIqUDJcvwjlKV > Y+zTGmRO1BHhPwSvc6QahnJHqNRymboevkipKWFlgyCaYJh7CcQrys2yJtgG22gxxlU1gnDkBCZ5 > YQk3SSwovSmVLEUIRKzfTizNCkcRRwDAuwMdQX9YnM9pOWRbEC6uDNAMIosqU8fDbEGO73ObCGTu > JLrtiiCdpfsZf2z4mmGakti7skD5mZGBkxcnoRxTuqBwtIyQe67UwaCy5kinkTCqgNa+YgzxxhoS > Gg86AbISpMCP5O0Mr6iQw5MshCysYQQIjUIEXJaEiCoYrHRi8dQJVG6LzKMEmO8RQS6Vexr2B11s > 0XoRiv8MgZgyogNUaX3KCFOGA8ikUpmbKYvcsKKaCh8jCehExrkEVTFDzjm6g4QaUw2mhamw3MHa > M4cB5CnuXyZVpDIyLQlnALQ20AHSDweuNq8EO/pJDwti/4u5IpwoSBv12e0A > EOF >
  Thu May 12 00:15:47 2011 cheako [...] mikemestnik.net - Correspondence added
Subject: Re: [rt.cpan.org #67977] AutoReply: libcgi-session-auth-dbi-perl: Room for improved security.
Date: Wed, 11 May 2011 23:15:37 -0500
To: bug-CGI-Session-Auth [...] rt.cpan.org
From: Mike Mestnik <cheako [...] mikemestnik.net>
Here is a better tested copy of the a similar patch!!! Notice the closing brace was moved down a few lines, notably after the session is marked authenticated. --- share/perl/5.10.1/CGI/Session/Auth/DBI.pm 2010-03-03 09:13:24.000000000 -0600 +++ ./lib/site_perl/CGI/Session/Auth/DBI.pm 2011-05-11 23:11:01.000000000 -0500 @@ -61,6 +61,7 @@ # parameter 'EncryptPW': passwords are MD5-encrypted (default 0) $self->{encryptpw} = $params->{EncryptPW} || 0; + $self->{saltencryptpw} = $params->{SaltEncryptPW} || 0; # parameter 'UserTable': name of user data table $self->{usertable} = $params->{UserTable} || 'auth_user'; $self->{usernamefield} = $params->{UsernameField} || 'username'; @@ -103,7 +104,7 @@ my $self = shift; my ($username, $password) = @_; - $self->_debug("username: $username, password: $password"); + $self->_debug("username: $username"); if ($self->{encryptpw}) { $password = $self->_encpw($password); @@ -113,20 +114,30 @@ my $result = 0; my $query = sprintf( - "SELECT * FROM %s WHERE %s = ? AND %s = ?", + "SELECT * FROM %s WHERE %s = ?", $self->{usertable}, $self->{usernamefield}, - $self->{passwordfield}, ); $self->_debug("query: $query"); # search for username my $sth = $self->_dbh->prepare($query); - $sth->execute($username, $password) or croak $self->_dbh->errstr; + $sth->execute($username) or croak $self->_dbh->errstr; if (my $rec = $sth->fetchrow_hashref) { + my $pwhash = $rec->{$self->{passwordfield}}; + { + if ( $self->{saltencryptpw} ) { + require Crypt::SaltedHash; + # TODO the default is 4, I need 16. + last unless Crypt::SaltedHash->validate( $pwhash, $password, + $self->{saltencryptpw}); + } else { + last if ($password ne $pwhash); + } $self->_debug("found user entry"); $self->_extractProfile($rec); $result = 1; $self->_info("user '$username' logged in"); + } } $sth->finish; Base64/BZ2 compressed copy of above patch, with example usage: <<EOF tr -d '\n' | base64 -d | bzcat QlpoOTFBWSZTWSYTAAgAASNfgGcwXv//u//n3oC/7//uUANe5k0tWagISURJpsU2mKeUBk0NAPUe oaZGRoAPU9IyA4BhGE0xDAIBkAMI0yZMIwENBKaEjU1T2gk9Q9T1NAaeoPUb1QGgGnqaNAZBkOAY RhNMQwCAZADCNMmTCMBDQSKI0CU9PFPU1P0jJNonqepiaAAGQAGg00oQBuDAuSpPkQXVq1tVNYPo 68bJpUEoybZJOnUnEmIe+s6aRBNwDHREAMZcmpCdpYYeE4zwaw13NzZr3lUR9RyYeTAw9JyNznG1 eN9PxMOnhtltTZuWSyaTZ81kKSt8WCsr0cjyjjY3BX2aC42d1aycibFDEyi453aMg+QaDb1o9/GC aCF+BhaDgHNQy15ig30UTqwGyXZIZJI7qBTQiCJs36WW2WpTIoWqrONel9s7wG47/k5UPzSOkkb2 5C6U14DJrfuWOaa1PMzNsHBSJTuFhT64csOSDhUHEOa2exexlwisC3jCKRTCy3HipsP3vFj4yT1Z +XEHDnvuJMl7mI36mi1JNUHqK21KmlQnrRK1LDWPNtEUuiimFwcL2Ue66Wjd03mspv6HzFpzV/rP CJVsoiVygcLKJQoe4AXiAawiYt1MJSYYYhwpxul+o+TKVEMuB82KS+bQ7SVEZtE34w+N5lCg/J5S 3hMxcZNJhI6ZhmjpQel48Vpe2x/GfttdiwiVYWcT0LXwujGpHWXTES53F6IeSfivvEwUoFEoQzk2 4M22KNjG5KwZYzoosdIcgITPN4S3OTfxOXUsKmRjEMxjyYYuukpxFkCY0DQt0Z1hdiUHZylB2JLK D3cm3FCGSdzc8b7eGrKGi3Pj4nNpAJ3EJdls0QUzG5rTfzL9DdmLn6lxmptx3yc+Zii83KIKIkbK Ko1hEWgYI91uphZiZa2Cr5ExWTEiDjdIneaciTZ0hzxP6FDShqHdm+B2sehI01LfQ1wZAwGNzDHi lFIvgpLTu6YkKUlWcsomAwsZ3iSCzqVrO3rDFb2e0SNAf4YhsMAsc47DejtKZCpRcRJJFabeBojB XU1UlMchkopROcViJKqSInHP1hrB2Tj3qdDOB3nKwmMwbZ5CrVbY1kSGi9Z0swBlDZSAdQRDZNDu NXsQ7+wkeFtX/F3JFOFCQJhMACA= EOF
  Thu Jun 16 12:38:42 2011 geewiz [...] cpan.org - Correspondence added
Subject: Room for improved security.
Hi Mike, thanks for your feedback! Obviously, I can't spare much time to maintain the module, but since you put in so much effort, I'll see how to work your suggestions in ASAP. I just moved the project source to github (https://github.com/geewiz/perl-cgi-session-auth) and hope to be able to do some work on the module soon. Thanks again and best regards, Jochen
  Thu Jun 16 12:38:42 2011 The RT System itself - Status changed from 'new' to 'open'
  Thu Jun 16 12:38:43 2011 geewiz [...] cpan.org - Given to GEEWIZ