HP Quality Centre Weak password Obfuscation

From: jason@inner-security.co.uk
To: bugtraq@securityfocus.com
Cc:
Subject: HP Quality Centre Weak password Obfuscation
Date:


Not a major issue, but should be noted:

The password in QC and maybe TD is obfuscated as below:

password using jason is:
PASSWORD:\0000001e\ENRCRYPTED189!206!226!219!217!

As you will see each char has a 3 digit and exclamation mark. This is not in any way random, this is static, depending on where the password char is in the order. Below is the output of 10 char a's, as you will see the 2nd char a is always 206!: so easy to map out!, if the password is blank the digits are not populated:

PASSWORD:\00000032\ENRCRYPTED180!206!208!205!204!194!184!194!212!169!

As most customers implement QC with http, HP are advising that SSL should be implemented (obviously). Please see HP's response below:

--------

Hello Jason,

The obfuscation was intended to conceal the passwords from casual inspection.  Https must be used if robust encryption is required.  We are considering modifying the product documentation to make that clear.


Yours truly,
John
john.morris@hp.com
HP Software Security Response Team (SSRT)

--------





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.