Tickets :: [#9121] decrypted password issue (DIGEST-MD5)

6.0.0-beta1

11/8/25

Summary	decrypted password issue (DIGEST-MD5)
Queue	IMP
Queue Version	Git master
Type	Bug
State	Resolved
Priority	1. Low
Owners	slusarz (at) horde (dot) org
Requester	imp (at) lx-soft (dot) com
Created	07/02/2010 (5608 days ago)
Due
Updated	07/02/2010 (5608 days ago)
Assigned	07/02/2010 (5608 days ago)
Resolved	07/02/2010 (5608 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	Yes

07/02/2010 05:45:37 PM	Michael Slusarz	State ⇒ Resolved

07/02/2010 05:45:19 PM	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #9121~~: Remove null padding on stored data http://git.horde.org/diff.php/framework/Secret/lib/Horde/Secret.php?rt=horde-git&r1=271ce27ceee4749c667b3d0b51be8947c915472d&r2=3db5893ecb72a2f35b73ece266e26594b8045f78

07/02/2010 09:07:14 AM	Jan Schneider	Assigned to Michael Slusarz State ⇒ Assigned

07/02/2010 09:07:03 AM	Jan Schneider	Deleted Original Message

07/02/2010 08:06:06 AM	imp (at) lx-soft (dot) com	Comment #2 New Attachment: Secret.php[1].diff	Reply to this comment
This second patch is even simpler/better.

07/02/2010 07:15:16 AM	imp (at) lx-soft (dot) com	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ decrypted password issue (DIGEST-MD5) Queue ⇒ IMP Milestone ⇒ Patch ⇒ Yes New Attachment: Secret.php.diff State ⇒ Unconfirmed	Reply to this comment
Dear Horde Team, According to: http://www.php.net/manual/en/function.mcrypt-generic.php A stored password may be padded with \0, if it's length is not the same as the block size (8 chars). This feature is used by Crypt::Blowfish, which is used again by Horde::Secret to store password used to do DIGEST-MD5 Authentication. I've attached a patch which check the length of the encrypted message.