thr3ads.net - Secure testing team - [Secure-testing-team] Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone [Dec 2008]

If this information is useful, please help other people find it:
Share via:

Eugene V. Lyubimkin

2008-Dec-09 21:15 UTC

[Secure-testing-team] Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone

Package: libuser-simple-perl
Version: 1.40-1
Severity: important
Tags: security, patch

Session id, computed by this package, is just md5 of unix timestamp at
the call moment. Thus, this session id can be simply bruteforced by
attacker if he knows user authorizing time approximately. And, this is
also means that two happy users that authorize in the same second
will have the identical session id.

I would suggest adding login and password to timestamp, and only then do
md5(...) (can be considered as a simplest patch :)), this approach will
fix problems mentioned above.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-rc7jackyf (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libuser-simple-perl depends on:
ii  libdate-calc-perl             5.4-5+b1   Perl library for accessing dates
ii  libdbi-perl                   1.607-1    Perl5 database interface by Tim Bu
ii  perl                          5.10.0-18  Larry Wall''s Practical
Extraction

libuser-simple-perl recommends no packages.

libuser-simple-perl suggests no packages.

-- no debconf information

Secure testing team - Dec 2008 - Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone

[Secure-testing-team] Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone