[Catalyst] Outcome of the "Security issue with hashed passwords
in C:P:A:Password"?
Toby Corkindale
toby.corkindale at strategicdata.com.au
Thu Apr 8 01:15:52 GMT 2010
So, a while back there was some.. slightly heated.. discussion about
security issues with C-P-A-Password.. or perhaps one of the modules it
uses internally.. in certain cases, if certain options are, or are not,
set. Then it quietened down without any apparent conclusion being reached.
Now that some time has passed, I wondered if someone could provide a
synopsis of the outcome of these investigations and discussions?
In short:
* In what circumstances was an attack possible?
ie. What combination of modules, options, auth methods.
* Which versions were vulnerable, and if any, at what version were
they fixed, if any?
* What mitigating factors can be applied to existing systems to reduce
their vulnerability to the attack?
Thanks,
Toby
More information about the Catalyst
mailing list