Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46016

Shibboleth contains misleading comment regarding user passwords

    XMLWordPrintable

Details

    • 13
    • BACKEND Sprint 14

    Description

      I was reading through the Shibboleth code and found this in auth/shibboleth/index.php near line 37

      /// If we can find the Shibboleth attribute, save it in session and return to main login page
          if (!empty($_SERVER[$pluginconfig->user_attribute])) {    // Shibboleth auto-login
              $frm = new stdClass();
              $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);
              $frm->password = substr(base64_encode($_SERVER[$pluginconfig->user_attribute]),0,8);
              // The random password consists of the first 8 letters of the base 64 encoded user ID
              // This password is never used unless the user account is converted to manual
      

      The problem is that I don't believe Base64 is random at all and for short usernames could yield extremely short passwords. For instance the first 8 characters of the username 'ted' are 'dGVk'.

      I am certainly no security expert but if a site for whatever reason decided to stop using Shibboleth anyone could stick a bunch of known usernames through Base64 and easily have the first 8 characters.

      It seems like a bunch of randomized garbage characters would be a better idea to use. I really hope I am missing something here.

      Attachments

        Activity

          People

            markn Mark Nelson
            hernan43 Ray Hernandez
            Ankit Agarwal Ankit Agarwal
            Sam Hemelryk Sam Hemelryk
            Rajesh Taneja Rajesh Taneja
            David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              14/Jul/14