[Catalyst] Security issue with hashed passwords in C:P:A:Password

Tomas Doran bobtfish at bobtfish.net
Wed Mar 24 00:39:30 GMT 2010

On 23 Mar 2010, at 20:17, Evan Carroll wrote:
> This is broken implementation. Hard coding salt in a config file only
> protects you from a rainbow table without that salt. It still doesn't
> solve the problem of cached hashings.

Thanks for the responsible disclosure of a potential security  

I had an entire 4 mins after the bug report in which to make a fix  
available.... :)


P.S. Yes, I appreciate that the attack surface is fairly limited here,  
bit I feel the point still holds.

P.P.S. I expect to be uploading a fix this in the next 24-48 hours for  
anyone who concerned that evil people in possession of their  
application configuration are generating the relevant rainbow tables  
right now...

More information about the Catalyst mailing list