Re: Insecure handling of NetSol maintainer passwords

[ssh () SHN NU (Sean Sosik-Hamor)]

Jefferson Ogata <jogata () NODC NOAA GOV> wrote:

# I have also noticed a problem with Network Solutions' handling of
# passwords for CRYPT-PW authentication: when you submit the password
# initially, the form they generate with their New Contact Form web
# system runs the password you enter through crypt(), but the first
# two characters of the encrypted value (the salt) are the same as the
# first two characters of the password, indicating they use the
# password as its own salt.

I originally found this and reported it to them in 1996.  Since then,
I've sent them numerous emails and called them four or five times.
Each time, I was told that "it would be looked into."  So, here it is
three years later.  Yay.

http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-10-8&msg=Pine.LNX.3.95.961011120728.3070A-100000 
() socks litter717 net

/Sean/