mahara-contributors team mailing list archive

Thread
Date

[Bug 662424] Re: User able to login with cleartext password and no salt

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Richard Mansfield <662424@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Nov 2010 20:40:31 -0000
Reply-to: Bug 662424 <662424@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Visibility changed to: Public

-- 
User able to login with cleartext password and no salt
https://bugs.launchpad.net/bugs/662424
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: Fix Committed

Bug description:
There seems to be two issues here:
1 - When resetting a user's password (via 'Acount Settings' as Admin user), the password is saved in cleartext and with no salt in the usr table.
2 - User login is then also possible with a cleartext password and no salt!

I have tested this on the the following branches:
  1.0_STABLE
  1.1_STABLE
  1.2_STABLE
  1.3_STABLE
  master

The issue seems to be present in all of the above branches.

Relevant system specs:
Ubuntu 10.04
Postgres 8.4.5

Cheers and hope this helps ;),
Eugene.