Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46016

Shibboleth contains misleading comment regarding user passwords

    XMLWordPrintable

    Details

    • Story Points:
      13
    • Sprint:
      BACKEND Sprint 14

      Description

      I was reading through the Shibboleth code and found this in auth/shibboleth/index.php near line 37

      /// If we can find the Shibboleth attribute, save it in session and return to main login page
          if (!empty($_SERVER[$pluginconfig->user_attribute])) {    // Shibboleth auto-login
              $frm = new stdClass();
              $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);
              $frm->password = substr(base64_encode($_SERVER[$pluginconfig->user_attribute]),0,8);
              // The random password consists of the first 8 letters of the base 64 encoded user ID
              // This password is never used unless the user account is converted to manual
      

      The problem is that I don't believe Base64 is random at all and for short usernames could yield extremely short passwords. For instance the first 8 characters of the username 'ted' are 'dGVk'.

      I am certainly no security expert but if a site for whatever reason decided to stop using Shibboleth anyone could stick a bunch of known usernames through Base64 and easily have the first 8 characters.

      It seems like a bunch of randomized garbage characters would be a better idea to use. I really hope I am missing something here.

        Attachments

          Activity

            People

            Assignee:
            markn Mark Nelson
            Reporter:
            hernan43 Ray Hernandez
            Peer reviewer:
            Ankit Agarwal
            Integrator:
            Sam Hemelryk
            Tester:
            Rajesh Taneja
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              14/Jul/14