6.0.0-git
2019-04-24

[#9121] decrypted password issue (DIGEST-MD5)
Summary decrypted password issue (DIGEST-MD5)
Queue IMP
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester imp (at) lx-soft (dot) com
Created 2010-07-02 (3218 days ago)
Due
Updated 2010-07-02 (3218 days ago)
Assigned 2010-07-02 (3218 days ago)
Resolved 2010-07-02 (3218 days ago)
Milestone
Patch Yes

History
2010-07-02 17:45:37 Michael Slusarz State ⇒ Resolved
 
2010-07-02 09:07:14 Jan Schneider Assigned to Michael Slusarz
State ⇒ Assigned
 
2010-07-02 09:07:03 Jan Schneider Deleted Original Message
 
2010-07-02 08:06:06 imp (at) lx-soft (dot) com Comment #2
New Attachment: Secret.php[1].diff Download
Reply to this comment
This second patch is even simpler/better.
2010-07-02 07:15:16 imp (at) lx-soft (dot) com Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ decrypted password issue (DIGEST-MD5)
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ Yes
New Attachment: Secret.php.diff
Reply to this comment
Dear Horde Team,

According to: http://www.php.net/manual/en/function.mcrypt-generic.php

A stored password may be padded with \0, if it's length is not the 
same as the block size (8 chars).

This feature is used by Crypt::Blowfish, which is used again by 
Horde::Secret to store password used to do DIGEST-MD5 Authentication.

I've attached a patch which check the length of the encrypted message.


Saved Queries