Menu
▾
▴
#3 security: empty passwords are accepted
Let me first go on record as stating that this is the third
time I have reported this bug. Once to the original
developer, to Zeev Suraski in 3/2000 (who assured me it
would be fixed in the next version), and now here.
Hopefully someone will agree with me that it is serious
and fix the distribution.
The allow_empty_passwords does not behave as
expected. To state it another way, even if
allow_empty_passwords is off, empty passwords may
still be accepted. This is because the crypt function
may return a positive result if an empty password is
contained in the database. In order to truly block empty
passwords (even if they exist in the database), you must
make the following changes to mod_auth_mysql.c
496 /* empty password support */
497 if (sec->allow_empty_passwords
&& !strlen(sql_row[0])) {
498 return 1;
499 }
should be changed to read:
/* empty password support */
if (!strlen(sql_row[0])) {
if( sec->allow_empty_passwords )
return 1;
else
return 0;
}
Note that even with this fix, the documentation should
be clear that if there is a blank password entry in the
database, that *ANY* password may be accepted.
Let me know if I can do anything to make sure that this
makes it in.
