[Act-dev] a few ideas for legacy Act
alexm at alexm.org
Mon Sep 28 15:59:26 CEST 2015
Philippe Bruhat (BooK):
> Yes, the cookie is transmitted with every request, and I know very well
> that it can be used to steal sessions... I know because I do it from time
> to time, to help users. The only difference is that I pick the session
> id from the database directly. ;-)
Cookie stealing is a concern that could be solved through TLS but
password stealing is also worrying. I know that some Act users
request a new password each time they want to log in but this
trick doesn't solve the security issue either because the new
password can be stolen too.
> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.
I see that lib/Act/Auth.pm, lib/Act/Handler/User/ChangePassword.pm and
lib/Act/Util.pm use Digest::MD5 without salt.
Digest::Bcrypt depends on Crypt::Eksblowfish::Bcrypt, which needs XS
support. I will try if it works in spectre before attempting to add
support for it in Act.
More information about the Act-dev