[Catalyst] Security issue with hashed passwords in C:P:A:Password
Tomas Doran
bobtfish at bobtfish.net
Wed Mar 24 00:39:30 GMT 2010
On 23 Mar 2010, at 20:17, Evan Carroll wrote:
> This is broken implementation. Hard coding salt in a config file only
> protects you from a rainbow table without that salt. It still doesn't
> solve the problem of cached hashings.
Thanks for the responsible disclosure of a potential security
vulnerability.
I had an entire 4 mins after the bug report in which to make a fix
available.... :)
Cheers
t0m
P.S. Yes, I appreciate that the attack surface is fairly limited here,
bit I feel the point still holds.
P.P.S. I expect to be uploading a fix this in the next 24-48 hours for
anyone who concerned that evil people in possession of their
application configuration are generating the relevant rainbow tables
right now...
More information about the Catalyst
mailing list