Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46016

Shibboleth contains misleading comment regarding user passwords


    • 13
    • BACKEND Sprint 14

      I was reading through the Shibboleth code and found this in auth/shibboleth/index.php near line 37

      /// If we can find the Shibboleth attribute, save it in session and return to main login page
          if (!empty($_SERVER[$pluginconfig->user_attribute])) {    // Shibboleth auto-login
              $frm = new stdClass();
              $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);
              $frm->password = substr(base64_encode($_SERVER[$pluginconfig->user_attribute]),0,8);
              // The random password consists of the first 8 letters of the base 64 encoded user ID
              // This password is never used unless the user account is converted to manual

      The problem is that I don't believe Base64 is random at all and for short usernames could yield extremely short passwords. For instance the first 8 characters of the username 'ted' are 'dGVk'.

      I am certainly no security expert but if a site for whatever reason decided to stop using Shibboleth anyone could stick a bunch of known usernames through Base64 and easily have the first 8 characters.

      It seems like a bunch of randomized garbage characters would be a better idea to use. I really hope I am missing something here.

            markn Mark Nelson
            hernan43 Ray Hernandez
            Ankit Agarwal Ankit Agarwal
            Sam Hemelryk Sam Hemelryk
            Rajesh Taneja Rajesh Taneja
            0 Vote for this issue
            5 Start watching this issue


                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.