Fork me on GitHub
Subscribe 2

Ticket #1043 (fixed bug)

Prevent timing attack

  • Created: 2015-07-06 20:01:29
  • Reported by: adaur
  • Assigned to: adaur
  • Milestone: 1.5.9
  • Component: security
  • Priority: high

I am not sure that we are completely safe.

In include/functions.php:

// If the cookie has been tampered with
if (forum_hmac($cookie['user_id'].'|'.$cookie['expiration_time'], $cookie_seed.'_cookie_hash') != $cookie['cookie_hash'])
if (!isset($pun_user['id']) || forum_hmac($pun_user['password'], $cookie_seed.'_password_hash') !== $cookie['password_hash'])

We only use a "!=" to compare hashes. Shouldn't we use at least "!==" or a hash_equals backport ?

History

adaur 2015-07-06 20:06:50

  • Description changed. (Diff)

adaur 2015-07-06 20:07:09

  • Description changed. (Diff)

Franz 2015-11-05 08:13:47

Commit 2687759 to fluxbb 1.5-next

Merge pull request #163 from adaur/timing-attack

#1043: Prevent timing attack

Franz 2015-11-05 09:05:51

  • Status changed from open to fixed.

Franz 2015-11-05 09:05:58

Thank you very much!

Franz 2015-11-09 10:46:32

  • Visibility set to public.