Actions
Feature #73456
closed
Timing attack vulnerability in Hash comparisons throughout the core
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-02-15
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
Original report¶
recently I've been studying quite a few resources on cryptography and
application security
and among others I found the following post:
Remembering that Extbase/Fluid has a service class for HMAC
calculation/verification I checked the current
state and found that it is indeed vulnerable to timing attacks:
To fix this vulnerability at least the PHP function
http://php.net/hash_equals should be used.
For PHP < 5.6 there is a shim which could be pulled in as Composer
dependency:
https://packagist.org/packages/indigophp/hash-compat
Updated by Helmut Hummel about 8 years ago
would be fixed in master with this: https://review.typo3.org/#/c/46514/
Updated by Benni Mack about 8 years ago
Should we backport our new feature to v7 and v6?
Updated by Christian Kuhn almost 8 years ago
- Tracker changed from Bug to Feature
- Project changed from 1716 to TYPO3 Core
- Status changed from New to Closed
This is considered a feature and closed as duplicate of #73164 now.
Actions