[Secure-testing-team] Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone
Eugene V. Lyubimkin
jackyf.devel at gmail.com
Tue Dec 9 21:15:59 UTC 2008
Package: libuser-simple-perl
Version: 1.40-1
Severity: important
Tags: security, patch
Session id, computed by this package, is just md5 of unix timestamp at
the call moment. Thus, this session id can be simply bruteforced by
attacker if he knows user authorizing time approximately. And, this is
also means that two happy users that authorize in the same second
will have the identical session id.
I would suggest adding login and password to timestamp, and only then do
md5(...) (can be considered as a simplest patch :)), this approach will
fix problems mentioned above.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-rc7jackyf (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libuser-simple-perl depends on:
ii libdate-calc-perl 5.4-5+b1 Perl library for accessing dates
ii libdbi-perl 1.607-1 Perl5 database interface by Tim Bu
ii perl 5.10.0-18 Larry Wall's Practical Extraction
libuser-simple-perl recommends no packages.
libuser-simple-perl suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list