Menu
▾
▴
[Firebird-devel] [ firebird-Bugs-229239 ] Password algorithm poor
|
From: <no...@so...> - 2001-07-23 22:58:47
|
Bugs item #229239, was opened at 2001-01-18 05:42 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=109028&aid=229239&group_id=9028 Category: Security Issues Group: Feature request Status: Open Resolution: None Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Mark ODonohue (skywalker) Summary: Password algorithm poor Initial Comment: Users with the same password currently get the same hashed password stored in the USERS table in isc4.gdb and this seems to be a fairly poor method of doing it. Also the isc4.gdb installed from Firebird 0.9-4 has the permissions of 666 which leaves it wide open to attack. Having it wide open like this is at least as bad as the backdoor recently discovered and more attention should be given to security issues like this. For example as a simple denial of service attack, I just did a ">/opt/interbase/isc4.gdb" as a regular user and pow; no users can login anymore to any database on the system! I could just as easily of used a binary editor to copy my password over another users and thus have changed their password to mine (an example why the same crypt result for two identical passwords is bad!). ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2001-07-23 15:58 Message: Logged In: NO The login method should use a challenge/response authentication system. Anything else is simply too vulnerable to attack. ---------------------------------------------------------------------- Comment By: Mark ODonohue (skywalker) Date: 2001-01-23 20:56 Message: Password is hashed on client and is then passed to server in the hashed format. From a authentication perspective, this process is weak, since a simulated client then only The hashed password (rather than the original clear password) to connect to the server. ---------------------------------------------------------------------- Comment By: Mark ODonohue (skywalker) Date: 2001-01-18 08:18 Message: Poor default install permissions, come from mixing direct connect databases and server access databases. This will be changed shortly (as will default install as root user). Hash should be on "salt + username + password" to ensure unique for individuals, and protect against dictionary attack. Hash Alg should not be single DES hash round should be SHA1 or MD5 (probably SHA1). (whoever submitted this I wouldn't mind them getting in contact with me, mar...@lu...). ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=109028&aid=229239&group_id=9028 |
