[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HP Quality Centre Weak password Obfuscation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HP Quality Centre Weak password Obfuscation
From: jason@xxxxxxxxxxxxxxxxxxxx
Date: Fri, 23 Oct 2009 09:11:33 -0600

Not a major issue, but should be noted:

The password in QC and maybe TD is obfuscated as below:

password using jason is:
PASSWORD:\0000001e\ENRCRYPTED189!206!226!219!217!

As you will see each char has a 3 digit and exclamation mark. This is not in 
any way random, this is static, depending on where the password char is in the 
order. Below is the output of 10 char a's, as you will see the 2nd char a is 
always 206!: so easy to map out!, if the password is blank the digits are not 
populated:

PASSWORD:\00000032\ENRCRYPTED180!206!208!205!204!194!184!194!212!169!

As most customers implement QC with http, HP are advising that SSL should be 
implemented (obviously). Please see HP's response below:

--------

Hello Jason,

The obfuscation was intended to conceal the passwords from casual inspection.  
Https must be used if robust encryption is required.  We are considering 
modifying the product documentation to make that clear.


Yours truly,
John
john.morris@xxxxxx
HP Software Security Response Team (SSRT)

--------

Prev by Date: RE: [Full-disclosure] NSOADV-2009-003: Websense Email Security Cross Site Scripting
Next by Date: [USN-850-2] poppler regression
Previous by thread: [SECURITY] [DSA 1914-1] New mapserver packages fix serveral vulnerabilities
Next by thread: [USN-850-2] poppler regression
Index(es):
- Date
- Thread