[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Toby Corkindale toby.corkindale at strategicdata.com.au
Thu Apr 8 01:15:52 GMT 2010


So, a while back there was some.. slightly heated.. discussion about 
security issues with C-P-A-Password.. or perhaps one of the modules it 
uses internally.. in certain cases, if certain options are, or are not, 
set. Then it quietened down without any apparent conclusion being reached.

Now that some time has passed, I wondered if someone could provide a 
synopsis of the outcome of these investigations and discussions?

In short:
  * In what circumstances was an attack possible?
    ie. What combination of modules, options, auth methods.
  * Which versions were vulnerable, and if any, at what version were 
they fixed, if any?
  * What mitigating factors can be applied to existing systems to reduce 
their vulnerability to the attack?


Thanks,
Toby



More information about the Catalyst mailing list