Closed Bug 388020 Opened 18 years ago Closed 18 years ago

Bugzilla is using DES encryption for user passwords

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 211006

People

(Reporter: ismail, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; tr-TR; rv:1.8.1.4) Gecko/20070529 Pardus/2007 Firefox/2.0.0.4 Build Identifier: Looking at Bugzilla/Util.pm line 425 : sub bz_crypt { [...] my $salt = ''; <----- HERE for ( my $i=0 ; $i < 8 ; ++$i ) { $salt .= $saltchars[rand(64)]; } # Crypt the password. my $cryptedpassword = crypt($password, $salt); [...] } So the salt consists of 8 random characters but crypt(3) says, to be able to use MD5, salt should start with $1$, from crypt(3) : [...] If salt is a character string starting with the three characters "$1$" followed by at most eight characters, and optionally terminated by "$", then instead of using the DES machine, the glibc crypt function uses an MD5-based algorithm, [...] This results in trimming user passwords to 8 characters, so if you have a password with 10 characters Bugzilla will only check 8 characters. Reproducible: Always Steps to Reproduce: 1. Install Bugzilla 3.0 2. Set your password to 01234567 Actual Results: You can login with 01234567abcfoobar as password as only first 8 characters matter. Expected Results: Bugzilla should use MD5 so there won't be a maximum password length.
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.