Summary | decrypted password issue (DIGEST-MD5) |
Queue | IMP |
Queue Version | Git master |
Type | Bug |
State | Resolved |
Priority | 1. Low |
Owners | slusarz (at) horde (dot) org |
Requester | imp (at) lx-soft (dot) com |
Created | 07/02/2010 (5500 days ago) |
Due | |
Updated | 07/02/2010 (5500 days ago) |
Assigned | 07/02/2010 (5500 days ago) |
Resolved | 07/02/2010 (5500 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | Yes |
Bug #9121: Remove null padding on stored datahttp://git.horde.org/diff.php/framework/Secret/lib/Horde/Secret.php?rt=horde-git&r1=271ce27ceee4749c667b3d0b51be8947c915472d&r2=3db5893ecb72a2f35b73ece266e26594b8045f78
State ⇒ Assigned
New Attachment: Secret.php[1].diff
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ decrypted password issue (DIGEST-MD5)
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ Yes
New Attachment: Secret.php.diff
State ⇒ Unconfirmed
According to: http://www.php.net/manual/en/function.mcrypt-generic.php
A stored password may be padded with \0, if it's length is not the
same as the block size (8 chars).
This feature is used by Crypt::Blowfish, which is used again by
Horde::Secret to store password used to do DIGEST-MD5 Authentication.
I've attached a patch which check the length of the encrypted message.