[Catalyst] Security issue with hashed passwords in C:P:A:Password

Evan Carroll lists at evancarroll.com
Wed Mar 24 15:27:45 GMT 2010

> P.S. Yes, I appreciate that the attack surface is fairly limited here, bit I
> feel the point still holds.

I disagree, I wouldn't want to extend my fame into publicizing a
massive security vulnerability. I think this one stems from a
misunderstanding of salting. I've forked C:P:A on gitpan and I'll
probably port some (or all) of it to Moose along with my own fix to
this soonish.

> P.P.S. I expect to be uploading a fix this in the next 24-48 hours for
> anyone who concerned that evil people in possession of their application
> configuration are generating the relevant rainbow tables right now...

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list