Seeing as the fix has been developed, it would be awesome if a patch could be submitted for this http://doc.silverstripe.org/doku.php?id=submitting-patches
You know, open source and all that... ? Paul On Fri, Jul 31, 2009 at 11:31 AM, craiganz<[email protected]> wrote: > > Hi. > Just for completeness and in case anyone from SilverStripe reads this, > there is a fix for this problem which maintains (reasonable) backward > compatibility with the current broken version, so that existing users > in most installations won't be affected. > > if (last 100 bits of hashed password in the database are zero) { > use the old, broken authentication mechanism, but compare only the > first 10 chars of the hashed passwords > } else { > use a new/fixed authentication scheme which does not need to be > compatible with the old version and which uses all 160 bits of the > hashed password > } > > -Craig > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
