On 08/04/10 16:21, Andrew Rodland wrote:
* In what circumstances was an attack possible?
ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password.
* With the "hashed" password_type.
* And your database is compromised.
I'd like to follow up that last point, regarding the DB being compromised.
Is that definitely a requirement for the vulnerability?
I ask because, in many cases, if your DB is compromised, then the horse
has already bolted.
I understand that isn't the case for everyone, such as payment
processors, online shops, etc. where actions can be carried out by
logged in users that cause external effects.. but in some cases, the
database IS the website, and if you've stolen it, then there's no point
logging in as another user artificially.
But, yes, it's still worth looking into fixing then I think.
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
