[ic] security problem in Admin UI login?
Kevin Walsh
interchange-users@icdevgroup.org
Thu Aug 15 07:05:04 2002
>
> I just discovered something when I *mis*-typed my password
> to get into an Admin for an IC site.....
>
> I have a password which includes letters AND numbers......
>
> If I type in the letters only and leave off the numbers .... I'm in.
>
> If I type in the whole thing..... I'm in.
>
> If I type in only *part* of the letters correctly (although it needs
> to be most of them).... I'm in.
>
> Can anyone else confirm this?
> RH Linux 7.2
> IC 4.8.3
>
> I confirmed that all cookies/cache was deleted and a new
> browser window open and all of the above worked in IE 6
> as well as in Opera.
>
> This could be a serious thing....
>
Interchange uses crypt() which only uses the first eight characters
of your password. If, in your test, your numbers come after the
first eight characters then crypt() will not notice if you omit them.
7 bits * 8 characters = 56 bit key.
For this reason, "password" (8 chars) is treated the same as
"password123" while "password" is not the same as "pass1234" or
"passwd12". If your password was "pass1234" then leaving off the
numbers would cause the password comparison to fail.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/