Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

One of these things is not like the other #1193

Closed
paragonie-scott opened this issue Jun 20, 2016 · 3 comments
Closed

One of these things is not like the other #1193

paragonie-scott opened this issue Jun 20, 2016 · 3 comments
Milestone
6.3 (Lapis Lepus)

Comments

@paragonie-scott
Copy link

paragonie-scott commented Jun 20, 2016
edited by benhaynes

directus_ad

directus/api/core/Directus/Auth/Provider.php

Lines 212 to 215 in bb359eb

public static function hashPassword($password, $salt = '') {
$composite = $salt . $password;
return sha1( $composite );
}

Not only are you not following best practices for user authentication, that particular arrangement (sha1(salt || password)) is a classic setup for a length-extension attack.

Also, don't use uniqid() as a salt generator.

Recommendations:
@wellingguzman
Copy link

Hi @paragonie-scott thanks for the recommendation we help us make Directus more secure.

To be honest we've been aware of the use of uniqid() and we happen to address all this soon, we have been working on a lot of stuff and bug fixing right now.

We will take some time to work on security issues, which is also important.

@paragonie-scott
Copy link
Author

I can sympathize with having all your spare time accounted for with bug fixing, etc.

As a security researcher, however, I do take issue with products claiming to adhere to best practices and then, it turns out, actually don't. Security is hard. Cryptography is one of the more annoying aspects of security, where things like "comparing strings" can lead to disastrous results. Unless you happen to have access to security expertise through the community or on a contract basis, it would be wise to reword that section so you don't give your users a false sense of security.

@benhaynes
Copy link
Sponsor Member

@paragonie-scott – Absolutely, we 100% agree. We've been chatting with a few folks adept in security (always looking for more!) and are moving into big security update/push over the next few weeks. Security audits/experts aren't cheap and being open-source we're always looking for community specialists who are interested in assessing/contributing to our framework.

If you have any interest in providing insight or pull-requests we'd love to chat with you further. Just sent you a Slack invite just in case ;)

In the meantime we'll look into adjusting the copy on our marketing site to better reflect the current state of our auth.

@benhaynes benhaynes modified the milestone: Current Release Jul 6, 2016
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.3 (Lapis Lepus)
Development

No branches or pull requests
3 participants
@benhaynes @wellingguzman @paragonie-scott