> * In what circumstances was an attack possible? > ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password. * With the "hashed" password_type. * And your database is compromised. > * Which versions were vulnerable, and if any, at what version were > they fixed, if any? All versions. "hashed" shouldn't be used except by those who have broken and stupid user databases; fixing it isn't possible. What we perhaps *should* do is warn when it's used, and do a better job of marking it as unsuitable for use in the perldoc. > * What mitigating factors can be applied to existing systems to reduce > their vulnerability to the attack? > * Use password_type = "salted_hash" to get salted hashes. * Or use password_type = "self_check" and a store that provides secure password handling via the user object, e.g. Catalyst::Authentication::Store::DBIx::Class w/ DBIx::Class::EncodedColumn on the user table, or Catalyst::Authentication::Store::LDAP (plus a suitable configuration on your LDAP server; some of them will allow you to do stupid things like plaintext passwords, but we can't help that). * If you have a user database that uses plain hashed passwords, start figuring out how to change over to a proper method and how to force all of your users to reset their passwords. _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
