Status

()

Bugzilla
Bugzilla-General
P3
trivial
VERIFIED INVALID
19 years ago
10 months ago

People

(Reporter: mgong, Assigned: justdave)

Tracking

Details

(URL)

(Reporter)

Description

19 years ago
It doesn't appear as though an exact match for a user's password is required.
(ie. maybnsj or maybnsjgggg both work for a password which should have been
maybnsjg).  I haven't tested too many, but it seems that a lot of different
passwords work.  This is a potential security leak..

-Matt Gong

Updated

19 years ago
Status: NEW → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → INVALID

Comment 1

19 years ago
I believe you are seeing the fact that only the first eight characters of the
password are used.  This is nothing new; Unix-based password schemes have had
that problem for a very long time now.  It's just the way the low-level password
code works.
(Reporter)

Comment 2

19 years ago
Oh, ok.. I wasn't aware of that.. thanks Terry!
Verified that Unix is insecure.
Status: RESOLVED → VERIFIED
QA Contact: matty
moving to Bugzilla product
reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE
Assignee: terry → justdave
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified

Comment 5

12 years ago
*** Bug 316829 has been marked as a duplicate of this bug. ***
bug 211006 is tracking a fix for this (use md5 instead of crypt)
Severity: critical → trivial
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.