You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In iRedAdmin 2.6 it is possible to login by entering the password hash value into the login form instead of the corresponding plaintext password. This defeats any protection normally provided by password hashing (usually a leaked password hash does not give access immediately, because finding the matching plaintext password should be expensive, but with this implementation the password hash becomes equivalent to the plaintext password).
Looks like this code is the culprit — it accepts a plaintext match without the prefix even if the value stored in the database is actually a password hash:
In iRedAdmin 2.6 it is possible to login by entering the password hash value into the login form instead of the corresponding plaintext password. This defeats any protection normally provided by password hashing (usually a leaked password hash does not give access immediately, because finding the matching plaintext password should be expensive, but with this implementation the password hash becomes equivalent to the plaintext password).
Looks like this code is the culprit — it accepts a plaintext match without the prefix even if the value stored in the database is actually a password hash:
iRedAdmin/libs/iredpwd.py
Lines 516 to 521 in b537e71
This kind of plaintext password matching probably should be behind some configuration option, so that the default configuration is secure.
The text was updated successfully, but these errors were encountered: