freeside password heuristics

| | Comments (0)
Somebody couldn't log into freeside on billing-external and it turned out that freeside assumes any password longer than 12 characters is encrypted when it checks the password. It also guesses that if it is 13 characters it is DES and if it has $ in it it must be md5. The password submitted by the user was 22 characters long and so even though it was unencrypted it didn't match any of the types of password to check, resulting in the error "Can't check password: Unrecognized encryption for svcnum" in the selfservice log file.

In this perl subroutine check_password there was a comment "eventually should check a "password-encoding" field" so hopefully thats done in freeside 1.9, there are supposed to be some schema changes and more configuration in the database. I want to try to install both 1.7 and 1.9 on different virtual hosts on a new domU for testing freeside.

Leave a comment

About this Entry

This page contains a single entry by nick published on October 8, 2008 10:47 PM.

ip address usage auditing is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.