On 08/04/10 22:49, Daniel Pittman wrote:
Toby Corkindale<[email protected]> writes:
On 08/04/10 16:21, Andrew Rodland wrote:
* In what circumstances was an attack possible?
ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password.
* With the "hashed" password_type.
* And your database is compromised.
I'd like to follow up that last point, regarding the DB being compromised.
Is that definitely a requirement for the vulnerability?
Unless you are passing the hashed passwords around as authentication tokens,
yes. Plus, at that point you have already lost.
I ask because, in many cases, if your DB is compromised, then the horse has
already bolted.
I understand that isn't the case for everyone, such as payment processors,
online shops, etc. where actions can be carried out by logged in users that
cause external effects.. but in some cases, the database IS the website, and
if you've stolen it, then there's no point logging in as another user
artificially.
...but your lost database *also* exposed user account/password pairs, which
can now be tried against other services, since people usually use the same
weak password and username all over the place.
.. if they are using sufficiently weak passwords, such that they're
present in a rainbow table? (Or do such rainbow tables contain every
single possible SHA-1 value, ie. from random-looking strings that happen
to correspond to the same sha-1 as the actual password?)
From the app-dev perspective, though, you already lost. :)
But, yes, it's still worth looking into fixing then I think.
*nod* Unix did, decades back, for much the same reasons other people have
given here.
Daniel
Although Unix had the problem that the /etc/passwd file was visible to
all users on the machine, prior to the introduction of the shadowed
version, and thus anyone could try and brute-force the password hashes.
In most (all) websites today, the authentication database is not
user-visible.
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
