Artifact 1b5a5d3a6ea7e2126741587d8beeddc22285274b:
The OpenSSL call was using the old UNIX crypt DES password hashing, which is very weak. Crypt will default to a more sensible mechanism (Blowfish, but in the future could transparently switch).
Old passwords will continue to work, because the crypt egg detects DES salts and happily hashes them. When creating new passwords, they will be hashed using the modern algorithm.
The OpenSSL call passed the password to the shell, so an onlooker on the server could see it in plaintext. It also neglected to escape the password for the shell, resulting in a command injection vulnerability. by sjamaan on 2016-10-20 17:53:01.
C Replace\sexternal\sopenssl\scall\swith\s"crypt"\segg.\n\nThe\sOpenSSL\scall\swas\susing\sthe\sold\sUNIX\scrypt\sDES\spassword\shashing,\nwhich\sis\svery\sweak.\sCrypt\swill\sdefault\sto\sa\smore\ssensible\smechanism\n(Blowfish,\sbut\sin\sthe\sfuture\scould\stransparently\sswitch).\n\nOld\spasswords\swill\scontinue\sto\swork,\sbecause\sthe\scrypt\segg\sdetects\sDES\nsalts\sand\shappily\shashes\sthem.\sWhen\screating\snew\spasswords,\sthey\swill\nbe\shashed\susing\sthe\smodern\salgorithm.\n\nThe\sOpenSSL\scall\spassed\sthe\spassword\sto\sthe\sshell,\sso\san\sonlooker\son\nthe\sserver\scould\ssee\sit\sin\splaintext.\sIt\salso\sneglected\sto\sescape\sthe\npassword\sfor\sthe\sshell,\sresulting\sin\sa\scommand\sinjection\nvulnerability. D 2016-10-20T17:53:01.958 F COPYING 7d7e3bd4448ca5450c1a211675734ed6a5eae18a F INSTALL 25d174366cb776ed21658fca3cf94c972ca00afc F Makefile 865dfc83553603b09f1bda92b3b56b3d8ef58bd9 F README a1795f62051a1fb09549dc0f2e8c331d5f16aad3 F TODO 14eed9b843b4082b0bc6495bd67ab605c40bb026 F cookie.scm 49ca0d00a6f2892bde0d5fdcc0f49fdfacca9f17 F doc/Makefile 93337f215f2f8a95fc5ad27919d64abaf6147fa7 F doc/howto.txt a12cd3280470ed376b5c3e038921284b463eb246 F doc/manual.txt ae796565bb5385470a2853b1ee2c3e54e30e8687 F doc/stml-snapshot.png e6cb8d257ecc91afd2afe57866b4367a99ead1a9 F example/Makefile d224d59dcab73478e8d8d3a3c790bfaa15ab0f62 F example/POLICY da39a3ee5e6b4b0d3255bfef95601890afd80709 F example/README a8907c6b3f44da026c5ae7d0768ccaf065ad300e F example/TODO 71853c6197a6a7f222db0f1978c7cb232b87c5ee F example/db/db-tweaks.sql b1c54e147fb779da2ff7dc4ec2b71728c6bb1d38 F example/db/dump_db ce7ea67483845bdfbda02547be5fcb25004b1573 x F example/docs/Setup-notes.txt 5087f9f4e89670456aa3d0de956ded8eb99c2ec7 F example/docs/comments.txt 77b3863af7a019060d23d086ce7a8b7b747e4845 F example/example/layout.css bbe01143385397ff3ad6ae2ab04ca66dda6c10d5 F example/example/markup.css 2ee4a6fa76e36f5ef75d1a722a0ba4d26583f5e3 F example/models/candidate.scm 70b60eb247567774d9aceabcf95baac10f4c0e4d F example/models/maint.scm 236b7343e451d0a37eaac75914b6f405cef158c7 F example/models/person.scm 13b176d6effd56173d6b56506b9015e7165e73d4 F example/models/voting.scm 5caf28d651ec51921d6d31facdd46318c03c788a F example/pages/action/view.scm e72ae3f7ddcdd98df3cb6b44e8080bdbda7ee537 F example/pages/footer/view.scm 619df4dd0ea350eef40833f1a2bd8777a7262bf4 F example/pages/header/control.scm c7463c753e490f417586c801ec94fab49d7ef277 F example/pages/header/view.scm c14538dbadfda9ba5972c7ef08c6ab770737c453 F example/pages/home/view.scm 03740d313984758f2caa9bd157fb10140336ab9e F example/pages/index/control.scm 733e1bc04a11f9bdd5b88bd2af90ecb0bf96ea23 F example/pages/index/view.scm e6eeff7675a86f6fe0c9aef4aa54dc6ab1c902ab F example/pages/learn/view.scm d368f45a4dd558bb1b165f0d38131fae60d71244 F example/pages/leftnav/control.scm 077adf479c737140a618ae7f8a6c650a7812ded9 F example/pages/leftnav/view.scm 29c5bd43ae690f94e1b544bb3cf3a9fdb0a8d5bd F example/pages/login/control.scm 878dfed9dae00b8427f524aa0d7616c0a94ea139 F example/pages/login/view.scm 2971ee1fb198e035c325a33dd79f96cd59f1ccd2 F example/pages/maint/control.scm b0f23bc746801d06ce921c978dd37a1b3f53ccf1 F example/pages/maint/view.scm 7f97c343f3dc596f9022e11c7dccbe8187941487 F example/pages/new_account/control.scm 79ed917ee51e326c32eee6441d053bd02bc27cba F example/pages/new_account/view.scm bc26c5b01cd32aeeeeb3baab2c77d5eba5682a31 F example/pages/pledge/view.scm 7d0aadf21d03eb1377ed509a84d402e98124e265 F example/pages/preferences/view.scm fb61146f5234b94340827bdf0b8fa22fbb31ea4b F example/pages/rightcol/view.scm f05a664b96ce96414d91fd75d2b3b9c8cc2a98ae F example/pages/sys-state/view.scm b45ac3279666f1dda4b5dddd0d2aee444b0e3c36 F example/pages/uspresident/control.scm 0387534663ad80b210c459c729c8621cc76c954d F example/pages/uspresident/view.scm 00ad05ecb396c3c4cd470d0c78db6e563dfcbf83 F example/tests/test.scm f61402872452cf4e40b0434f503de09df6d78410 F example/www/layout.css c0a14ff4c44b1dbf96729751d28e8f5f6dfa7f05 F example/www/markup.css 45cda36b65535f386f8ad85db942d7a8c9f85b76 F formdat.scm 9664a46cedd4fd6d6cda85a299b405a8beb30f56 F html-filter.scm 7dc1b6a3b05bdc398b045c233b03503c578f9c40 F install.cfg.template e6a66ae4054b4aa986d8e21f5cc8f3e2c4d018da F keystore.scm 1e4a5aef9c0c2be863e6a66e5fc0efe55801d6c7 F misc-stml.scm fb9cd2423493160b267e1c04c0be2cfbb19dc08d F modules/twiki/Makefile a43954801940a2a5b599d13044e7f78ee0287513 F modules/twiki/misc-notes.txt 1de77e33b5f65de312a8c5461b55614a2a3e91f7 F modules/twiki/tlayout.css b333339cf012c9dd0558d01a54d6df712b0fc8a8 F modules/twiki/twiki-mod.scm d4d21ad3375b808e8571dff252597814db4b6049 F modules/twiki/twiki-test.scm ee0fdeaa83229b8a35cd0d2a1305f351b9c37160 F modules/twiki/twiki.l 8e7948394a2b8d7275aed64cd811fd393bd16302 F modules/twiki/twiki.l.scm 4356cb4b0ecf19f8929d073bd3e13d61a5e4b2fb F modules/twiki/twiki.scm d0b51a85fd6629332516f7c8ff959aa5b494dd39 F modules/twiki/twikiparser.scm cc34f7c51ff148f7bde598a68e54766b8c7bc67b F requirements.scm.template b71aaa144e2222d3beea0665f5ba3d9c3d8d88d0 F rollup-pages.scm b24bc2e231cdea5d2ea184988eb849f99a6ca36f F session.scm feaf3112af1632618c700ac6e2574832d7040821 F sessions.sql 051fddcb1385e8c54dc70784b1b4b0bccd639265 F setup.scm 90e6633a2e66eb21c41a095e644683ccfd3e1c0a F spiffyserver.scm 0953505b2d015a92108c7cb15c4ea430bb1b8d74 F sqlite3.scm 935dbe7787293cd00d09c0efe7ad9982714cd634 F sqltbl.scm 29093c83c7a4b8f98924bcb80e3ae2d54a0e1726 F stml.config.template 007967e3cef503e6935ed667970345e3b4b7bdfb F stml.meta e8cabdbc7942c0ae50a1ac196ec9dfe35760a3a6 F stml.scm 5df99c79b1d3d8a8d1c7ba6b8912f3e04e7adaa3 F stml.setup b663e1c0bf9c50924d0b70ee79307fdef6db6392 F stmlcommon.scm c37d1e85893ff98d7b9e3c1756b9f5ca1440d119 F stmlmodule.scm 296e0e34a7b78e7942078c2e6785120e5aaf302c F stmlrun.scm a5be661feee5b502af5fcedfc0efeafc008c1330 F sugar.scm 8c9838f5ec41dc234bfc70951e046c8fcdb754b8 F test.scm 62a996e09539fd1e41b7cd1c3078dfa08f08da84 F test.stml 0f6611f558dffeff82d0ba089bdcef3f5ff52c7c F tests/example.post.binary.in a9df00433e134666c30f2cfeaa15a5bb22427e33 F tests/example.post.in 459133135e575b9cb2b2cca958a686f706b7c7c8 F tests/models/test.scm d92e100cbcc2a2f0548035d51adb2f32979fb3b8 F tests/pages/test/control.scm 3d3e9e16d30193cffcad0db8621b30b39bf75cc6 F tests/pages/test/view.scm 79bce22dd6d7a22fc0b8989043d74fa5e34cb0ce F tests/test.scm 7deafec4802d0f5a5757ac4dc3ebf3bf6d54128a F testscript.sh 48d42095846d58c7f4ca9ed77071f907250d5236 P 445ea184aebf8989ce80fa16e16e89a6f0766a81 R a61f74818349c119daa790a8d10c6cea U sjamaan Z 20113d1f036136cb1922a9747e101847