[Catalyst] Outcome of the "Security issue with hashed passwords
in C:P:A:Password"?
J. Shirley
jshirley at gmail.com
Thu Apr 8 01:23:22 GMT 2010
On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale
<toby.corkindale at strategicdata.com.au> wrote:
> So, a while back there was some.. slightly heated.. discussion about
> security issues with C-P-A-Password.. or perhaps one of the modules it uses
> internally.. in certain cases, if certain options are, or are not, set. Then
> it quietened down without any apparent conclusion being reached.
>
> Now that some time has passed, I wondered if someone could provide a
> synopsis of the outcome of these investigations and discussions?
>
> In short:
> * In what circumstances was an attack possible?
> ie. What combination of modules, options, auth methods.
> * Which versions were vulnerable, and if any, at what version were they
> fixed, if any?
> * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?
>
>
> Thanks,
> Toby
>
In my opinion, a non-issue from the start unless you specifically
enable the "I want a weak crypt" option.
C::P::A defers to Crypt::SaltedHash, which handles everything fine.
The ticket is still open because Evan is going to look into it further.
You can follow the ticket at
https://rt.cpan.org/Public/Bug/Display.html?id=55850
-Jay
More information about the Catalyst
mailing list