[ postfixadmin-Bugs-1694669 ] Improper Use of crypt()
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[ postfixadmin-Bugs-1694669 ] Improper Use of crypt()
|
From: SourceForge.net <no...@so...> - 2007-10-09 17:05:49
|
Bugs item #1694669, was opened at 2007-04-05 00:14 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=1694669&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Improper Use of crypt() Initial Comment: Inside the pacrypt() function in functions.inc.php, crypt() is used for the 'system' encryption type. Salt is first calculated, with the below code: if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); $salt = $split_salt[2]; } else { $salt = substr ($pw_db, 0, 2); } ... however, that is improper according to the php.net documentation (http://www.php.net/crypt) for the crypt() call: ... You should pass the entire results of crypt() as the salt for comparing a password, to avoid problems when different hashing algorithms are used. (As it says above, standard DES-based password hashing uses a 2-character salt, but MD5-based hashing uses 12.) ... Simply modifying the code to read: if ($pw_db) { $password = crypt ($pw, $pw_db); } else { $password = crypt ($pw); } ... fixed the problem in my case. ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2007-10-09 17:05 Message: Logged In: YES user_id=1761957 Originator: NO I'd be tempted to think not - after all people must (!?) be using crypt'ed passwords with other 3rd party applications (e.g. imap/pop3 clients).... doesn't this imply we can fix this without any side effects? ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2007-10-07 20:03 Message: Logged In: YES user_id=593261 Originator: NO Your arguments are valid, but the question is: Will this break existing passwords? (If yes, it will be problematic to do this change.) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=1694669&group_id=191583 |
