View Issue Details

IDProjectCategoryView StatusLast Update
0008467mantisbtsecuritypublic2007-12-04 10:33
ReporterFRnunurs Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.0rc1 
Target Version1.1.0rc2Fixed in Version1.1.0rc2 
Summary0008467: Users can login using the MD5 hash of the password
Description

When you try to log with an existing login and the md5 hash of the password :

  • you CAN log in the session
  • the real password is replaced by its md5 into database.
Steps To Reproduce
  • get an existing login and its password (or just login and its md5 hash password)
  • try to log with login/md5 password
  • now your logged ( Oo !! ) and the password in Database is replaced by its md5... ( Oo !!² )

you can try again with the md5 of the md5 ... and again and again ...

TagsNo tags attached.

Relationships

has duplicate 0008635 closedvboctor The encryption password is insecure 

Activities

vboctor

vboctor

2007-10-15 10:08

manager   ~0015877

I haven't attempted to reproduce this yet, but I have targetted for both rc2. We should also check if this is applicable to Mantis 1.0.x branch. The good thing is that this can only be exploited if the hacker has access to the database, which hopefully wouldn't be the case. However, we should fix it anyway.

vboctor

vboctor

2007-10-19 02:53

manager   ~0015902

I've reproduced the problem, the fix is as follows:

In core/authentication_api.php: auth_does_password_match()

Replace:

pass the stored password in as the salt

if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {

With:

pass the stored password in as the salt

if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {

Do not support migration to PLAIN, since this would be a crazy thing to do.

# Also if we do, then a user will be able to login by providing the MD5 value
# that is copied from the database.  See 0008467 for more details.
if ( $t_configured_login_method != PLAIN && $t_login_method == PLAIN ) {
    continue;
}

Issue History

Date Modified Username Field Change
2007-10-15 04:07 FRnunurs New Issue
2007-10-15 10:08 vboctor Note Added: 0015877
2007-10-15 10:08 vboctor Target Version => 1.1.0rc2
2007-10-19 02:53 vboctor Status new => resolved
2007-10-19 02:53 vboctor Fixed in Version => 1.1.0rc2
2007-10-19 02:53 vboctor Resolution open => fixed
2007-10-19 02:53 vboctor Assigned To => vboctor
2007-10-19 02:53 vboctor Note Added: 0015902
2007-10-21 19:45 vboctor Category authentication => security
2007-10-21 19:45 vboctor Summary Major bug in authentification process => Users can login using the MD5 hash of the password
2007-10-24 02:27 vboctor Status resolved => closed
2007-12-04 10:33 vboctor View Status private => public
2007-12-04 10:33 vboctor Relationship added has duplicate 0008635