User able to login with cleartext password and no salt
Bug #662424 reported by
Eugene
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Eugene |
Bug Description
There seems to be two issues here:
1 - When resetting a user's password (via 'Acount Settings' as Admin user), the password is saved in cleartext and with no salt in the usr table.
2 - User login is then also possible with a cleartext password and no salt!
I have tested this on the the following branches:
1.0_STABLE
1.1_STABLE
1.2_STABLE
1.3_STABLE
master
The issue seems to be present in all of the above branches.
Relevant system specs:
Ubuntu 10.04
Postgres 8.4.5
Cheers and hope this helps ;),
Eugene.
Changed in mahara: | |
status: | New → In Progress |
importance: | Undecided → Medium |
milestone: | none → 1.4.0 |
Changed in mahara: | |
status: | In Progress → Fix Committed |
visibility: | private → public |
Changed in mahara: | |
assignee: | nobody → Eugene (eugene-catalyst) |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Here is a patch that will fix issue 1.
I have not attempted to fix issue 2, due to the following code that is present within the validate_password function in auth/internal/ lib.php:
if ($salt == null) {
// This allows "plaintext" passwords, which are eaiser for an admin to
// create by hacking in the database directly. The application does not
// create passwords in this form.
// We don't allow empty passwords here to prevent anyone logging in to
// user accounts that were created by some other passwordless auth
// method and subsequently changed to internal.
return $wehave != '' && $theysent == $wehave;
}