[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Toby Corkindale toby.corkindale at strategicdata.com.au
Thu Apr 8 08:30:02 GMT 2010


On 08/04/10 16:21, Andrew Rodland wrote:
>>    * In what circumstances was an attack possible?
>>      ie. What combination of modules, options, auth methods.
>
> * You use Catalyst::Authentication::Credential::Password.
> * With the "hashed" password_type.
> * And your database is compromised.

I'd like to follow up that last point, regarding the DB being compromised.

Is that definitely a requirement for the vulnerability?
I ask because, in many cases, if your DB is compromised, then the horse 
has already bolted.
I understand that isn't the case for everyone, such as payment 
processors, online shops, etc. where actions can be carried out by 
logged in users that cause external effects.. but in some cases, the 
database IS the website, and if you've stolen it, then there's no point 
logging in as another user artificially.

But, yes, it's still worth looking into fixing then I think.



More information about the Catalyst mailing list