Using SQL Server Management Studio (SSMS), I am able to copy an encrypted password from any Operator on an installation into any other Operator on any installation (same machine / installation, completely different machine / installation).
To replicate:
On Computer A
Create a new Operator and give them any password
Open SSMS > dbo.AbpUsers, show top 1000 (for example)
Locate the newly created Operator, copy the value in the ‘Password’ field
On Computer B
Open SSMS > dbo.AbpUsers, edit top 200 (for example - edit required)
Locate the admin user (typically entry #2)
Delete the value in the ‘Password’ field, and replace with the copied value from Computer A
Press the Enter key to save the change to the database
Log in using the ‘admin’ Operator, but use the password you created for the new Operator on Computer A
Log in should be successful
No evidence of tampering, no warning, no errors, it just works.
Expected behaviour is that simply copying any encrypted password from one Operator to another - ESPECIALLY on a completely different installation - should NOT allow the login to work.
What's the cause of the issue? Does ASP.NET Zero use ASP.NET Identity framework PasswordHasher? By default, is there a salt? Please confirm that user passwords are hashed with salt. Is there a configuration available to resolve the issue?
2 Answer(s)
-
0
Hi @hongbing.wang,
We will try to find a good solution for it asap.
-
0
My view is this is not a security issue. If you trace down the CheckPasswordAsync call being done here. I get into Microsoft.Extensions.IdentityCore (7.0.0.0) which is doing the password verification.
From my reading this is the code which is being used.
https://github.com/dotnet/aspnetcore/blob/53845260d1ffa1a90fe4c499142bc6709dddeacf/src/Identity/Extensions.Core/src/PasswordHasher.cs#L166
And as you can see the salt is stored in asp.net core identity with the password in the same field.
If you know the password and you copy the password column then yes you will be able to login but no this is not a security vulnerability as the password is salted and you won't be able to (easily) reverse the password from the hashed value.