TUCoPS :: HP(multi) :: bu-874.htm

HP Quality Centre Weak password Obfuscation
HP Quality Centre Weak password Obfuscation
HP Quality Centre Weak password Obfuscation



Not a major issue, but should be noted:

The password in QC and maybe TD is obfuscated as below:

password using jason is:
PASSWORD:\0000001e\ENRCRYPTED189!206!226!219!217!

As you will see each char has a 3 digit and exclamation mark. This is not in any way random, this is static, depending on where the password char is in the order. Below is the output of 10 char a's, as you will see the 2nd char a is always 206!: so easy to map out!, if the password is blank the digits are not populated:

PASSWORD:\00000032\ENRCRYPTED180!206!208!205!204!194!184!194!212!169!

As most customers implement QC with http, HP are advising that SSL should be implemented (obviously). Please see HP's response below:

--------

Hello Jason,

The obfuscation was intended to conceal the passwords from casual inspection.  Https must be used if robust encryption is required.  We are considering modifying the product documentation to make that clear.


Yours truly,
John
john.morris@hp.com 
HP Software Security Response Team (SSRT)

--------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH