Succesful login with bad password if it contains the good pass




User Accounts
13 years ago
13 years ago


(Reporter: Krzysztof Kozlowski, Unassigned)





13 years ago
User-Agent:       Opera/7.54 (X11; FreeBSD i386; U)  [en]
Build Identifier: Opera 7.54

When we have a password ended with some numbers (I've tried with 2 nubmers) we 
could login to an account with a password extended by some numbers. E.g. When we 
have a password like "Kkrowa12" then we could login with a password "Kkrowa123".

I haven't tried all of combinations (Bugzilla 2.18 and 2.19+) - but above works.
.. It seems like number of letters are important or two first have to be the 
same (capital and normal). On "krowa12" this didn't work out... but "Kkrowa12" 
were OK.

Reproducible: Always

Steps to Reproduce:
1. Create a password - 5 or 6 letters and 2 numbers.
2. Try to login with a that password extended by some number.

Actual Results:  
Succesful login to an  acount with bad (not accurate) password.

Expected Results:  
"Bad password or username"...

It works on Opera 7.54 on BSD and on Mozilla (Windows ?). Originally confirmed 
by Rafal Mileszczyk merlino [at] wp [dot] pl .

Comment 1

13 years ago
Did this work with passwords shorter than 8 characters?
IIRC, Crypt only uses the first 8.

Comment 2

13 years ago

      crypt  is  the  password  encryption function.  It is based on the Data
       Encryption Standard algorithm with  variations  intended  (among  other
       things)  to discourage use of hardware implementations of a key search.

       key is a userâs typed password.

       salt is a two-character string chosen from the set [aâzAâZ0â9./].  This
       string  is used to perturb the algorithm in one of 4096 different ways.

       By taking the lowest 7 bits of each of the first  eight  characters  of
       the  key, a 56-bit key is obtained.  This 56-bit key is used to encrypt
       repeatedly a constant  string  (usually  a  string  consisting  of  all
       zeros).   The returned value points to the encrypted password, a series
       of 13 printable ASCII characters (the first  two  characters  represent
       the salt itself).  The return value points to static data whose content
       is overwritten by each call.

Comment 3

13 years ago
Bug 211006 comment 1 actually mentions that because we use crypt(), only the
first 8 chracters matter.

*** This bug has been marked as a duplicate of 211006 ***
Group: webtools-security
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
*** Bug 285907 has been marked as a duplicate of this bug. ***

Comment 6

13 years ago
Doh... that could be it :). That works only on 8 and more letters, but not with 
all cases - the password must end with two digits. I'm confused - really strange 
authentication mechanism these days... :/ 

Sorry about duplication - form posted twice ? 
You need to log in before you can comment on or make changes to this bug.