Re: [courier-users] Bug? courier-authlib authenticates with extra characters at the end of the password - Jose Celestino - net.sourceforge.lists.courier-users

4 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Bug? courier-auth...

From	Sent On	Attachments
Mantrid	Jul 10, 2009 6:13 pm
Sam Varshavchik	Jul 10, 2009 7:05 pm
Jose Celestino	Jul 10, 2009 8:51 pm
Mantrid	Jul 11, 2009 7:32 pm

Subject:	Re: [courier-users] Bug? courier-authlib authenticates with extra characters at the end of the password
From:	Jose Celestino (ja...@co.sapo.pt)
Date:	Jul 10, 2009 8:51:59 pm
List:	net.sourceforge.lists.courier-users

On Sáb, 2009-07-11 at 11:14 +1000, Mantrid wrote:

Problem description: Authentication is successful as long as the password provided starts with and contains the entire encrypted password, but additional characters are allowed

...

Note: the password hash was derived via <?php base64_encode(mhash(MHASH_SHA256, 'HornsbyIT')); ?>

No, you haven't used sha256 for that password, see:

$ perl -e "print crypt('HornsbyIT','qG')" qGu7ggIwKRmU.

Moreover, using crypt DES (versus MD5, SHA or Blowfish) only the first eight characters are relevant (used to build the key):

$ perl -e "print crypt('HornsbyI','qG')" qGu7ggIwKRmU.

$ perl -e "print crypt('HornsbyI to be or not to be','qG')" qGu7ggIwKRmU.

------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets