On 23 Mar 2010, at 20:17, Evan Carroll wrote:
This is broken implementation. Hard coding salt in a config file only
protects you from a rainbow table without that salt. It still doesn't
solve the problem of cached hashings.
Thanks for the responsible disclosure of a potential security
vulnerability.
I had an entire 4 mins after the bug report in which to make a fix
available.... :)
Cheers
t0m
P.S. Yes, I appreciate that the attack surface is fairly limited here,
bit I feel the point still holds.
P.P.S. I expect to be uploading a fix this in the next 24-48 hours for
anyone who concerned that evil people in possession of their
application configuration are generating the relevant rainbow tables
right now...
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
