Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46016

Shibboleth contains misleading comment regarding user passwords

    XMLWordPrintable

    Details

    • Story Points:
      13
    • Sprint:
      BACKEND Sprint 14

      Description

      I was reading through the Shibboleth code and found this in auth/shibboleth/index.php near line 37

      /// If we can find the Shibboleth attribute, save it in session and return to main login page
          if (!empty($_SERVER[$pluginconfig->user_attribute])) {    // Shibboleth auto-login
              $frm = new stdClass();
              $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);
              $frm->password = substr(base64_encode($_SERVER[$pluginconfig->user_attribute]),0,8);
              // The random password consists of the first 8 letters of the base 64 encoded user ID
              // This password is never used unless the user account is converted to manual
      

      The problem is that I don't believe Base64 is random at all and for short usernames could yield extremely short passwords. For instance the first 8 characters of the username 'ted' are 'dGVk'.

      I am certainly no security expert but if a site for whatever reason decided to stop using Shibboleth anyone could stick a bunch of known usernames through Base64 and easily have the first 8 characters.

      It seems like a bunch of randomized garbage characters would be a better idea to use. I really hope I am missing something here.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Jul/14