Tickets :: [#9121] decrypted password issue (DIGEST-MD5)

6.0.0-RC7

6/18/26

History
Attachments
Comment
Watch
Download

Summary	decrypted password issue (DIGEST-MD5)
Queue	IMP
Queue Version	Git master
Type	Bug
State	Resolved
Priority	1. Low
Owners	slusarz (at) horde (dot) org
Requester	imp (at) lx-soft (dot) com
Created	7/2/10 (5830 days ago)
Due
Updated	7/2/10 (5830 days ago)
Assigned	7/2/10 (5830 days ago)
Resolved	7/2/10 (5830 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	Yes

375	Michael Slusarz	State ⇒ Resolved

195	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #9121~~: Remove null padding on stored data http://git.horde.org/diff.php/framework/Secret/lib/Horde/Secret.php?rt=horde-git&r1=271ce27ceee4749c667b3d0b51be8947c915472d&r2=3db5893ecb72a2f35b73ece266e26594b8045f78

149	Jan Schneider	Assigned to Michael Slusarz State ⇒ Assigned

39	Jan Schneider	Deleted Original Message

68	imp (at) lx-soft (dot) com	Comment #2 New Attachment: Secret.php[1].diff	Reply to this comment
This second patch is even simpler/better.

167	imp (at) lx-soft (dot) com	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ decrypted password issue (DIGEST-MD5) Queue ⇒ IMP Milestone ⇒ Patch ⇒ Yes New Attachment: Secret.php.diff State ⇒ Unconfirmed	Reply to this comment
Dear Horde Team, According to: http://www.php.net/manual/en/function.mcrypt-generic.php A stored password may be padded with \0, if it's length is not the same as the block size (8 chars). This feature is used by Crypt::Blowfish, which is used again by Horde::Secret to store password used to do DIGEST-MD5 Authentication. I've attached a patch which check the length of the encrypted message.