[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

J. Shirley jshirley at gmail.com
Thu Apr 8 01:23:22 GMT 2010


On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale
<toby.corkindale at strategicdata.com.au> wrote:
> So, a while back there was some.. slightly heated.. discussion about
> security issues with C-P-A-Password.. or perhaps one of the modules it uses
> internally.. in certain cases, if certain options are, or are not, set. Then
> it quietened down without any apparent conclusion being reached.
>
> Now that some time has passed, I wondered if someone could provide a
> synopsis of the outcome of these investigations and discussions?
>
> In short:
>  * In what circumstances was an attack possible?
>   ie. What combination of modules, options, auth methods.
>  * Which versions were vulnerable, and if any, at what version were they
> fixed, if any?
>  * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?
>
>
> Thanks,
> Toby
>

In my opinion, a non-issue from the start unless you specifically
enable the "I want a weak crypt" option.

C::P::A defers to Crypt::SaltedHash, which handles everything fine.

The ticket is still open because Evan is going to look into it further.

You can follow the ticket at
https://rt.cpan.org/Public/Bug/Display.html?id=55850

-Jay



More information about the Catalyst mailing list