[Catalyst] Outcome of the "Security issue with hashed passwords
toby.corkindale at strategicdata.com.au
Thu Apr 8 08:30:02 GMT 2010
On 08/04/10 16:21, Andrew Rodland wrote:
>> * In what circumstances was an attack possible?
>> ie. What combination of modules, options, auth methods.
> * You use Catalyst::Authentication::Credential::Password.
> * With the "hashed" password_type.
> * And your database is compromised.
I'd like to follow up that last point, regarding the DB being compromised.
Is that definitely a requirement for the vulnerability?
I ask because, in many cases, if your DB is compromised, then the horse
has already bolted.
I understand that isn't the case for everyone, such as payment
processors, online shops, etc. where actions can be carried out by
logged in users that cause external effects.. but in some cases, the
database IS the website, and if you've stolen it, then there's no point
logging in as another user artificially.
But, yes, it's still worth looking into fixing then I think.
More information about the Catalyst