6.0.0-beta1
7/23/25

[#9121] decrypted password issue (DIGEST-MD5)
Summary decrypted password issue (DIGEST-MD5)
Queue IMP
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester imp (at) lx-soft (dot) com
Created 07/02/2010 (5500 days ago)
Due
Updated 07/02/2010 (5500 days ago)
Assigned 07/02/2010 (5500 days ago)
Resolved 07/02/2010 (5500 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch Yes

History
07/02/2010 05:45:37 PM Michael Slusarz State ⇒ Resolved
 
07/02/2010 09:07:14 AM Jan Schneider Assigned to Michael Slusarz
State ⇒ Assigned
 
07/02/2010 09:07:03 AM Jan Schneider Deleted Original Message
 
07/02/2010 08:06:06 AM imp (at) lx-soft (dot) com Comment #2
New Attachment: Secret.php[1].diff Download
Reply to this comment
This second patch is even simpler/better.
07/02/2010 07:15:16 AM imp (at) lx-soft (dot) com Comment #1
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ decrypted password issue (DIGEST-MD5)
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ Yes
New Attachment: Secret.php.diff
State ⇒ Unconfirmed
Reply to this comment
Dear Horde Team,

According to: http://www.php.net/manual/en/function.mcrypt-generic.php

A stored password may be padded with \0, if it's length is not the 
same as the block size (8 chars).

This feature is used by Crypt::Blowfish, which is used again by 
Horde::Secret to store password used to do DIGEST-MD5 Authentication.

I've attached a patch which check the length of the encrypted message.


Saved Queries