Project

General

Profile

Actions

Feature #73456

closed

Timing attack vulnerability in Hash comparisons throughout the core

Added by Helmut Hummel almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-02-15
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Original report

recently I've been studying quite a few resources on cryptography and
application security
and among others I found the following post:

https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy

Remembering that Extbase/Fluid has a service class for HMAC
calculation/verification I checked the current
state and found that it is indeed vulnerable to timing attacks:

https://github.com/TYPO3/TYPO3.CMS/blob/f7af0487932dfa119f2490512e9108915f359e37/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php#L68

To fix this vulnerability at least the PHP function
http://php.net/hash_equals should be used.
For PHP < 5.6 there is a shim which could be pulled in as Composer
dependency:
https://packagist.org/packages/indigophp/hash-compat


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #73050: Add a CSPRNG to TYPO3Closed2016-01-31

Actions
Is duplicate of TYPO3 Core - Feature #73164: Add crypto-safe hashing APIRejected2016-02-06

Actions
Actions #1

Updated by Helmut Hummel almost 9 years ago

  • Description updated (diff)
Actions #2

Updated by Helmut Hummel almost 9 years ago

would be fixed in master with this: https://review.typo3.org/#/c/46514/

Actions #3

Updated by Benni Mack over 8 years ago

Should we backport our new feature to v7 and v6?

Actions #4

Updated by Christian Kuhn over 8 years ago

  • Tracker changed from Bug to Feature
  • Project changed from 1716 to TYPO3 Core
  • Status changed from New to Closed

This is considered a feature and closed as duplicate of #73164 now.

Actions

Also available in: Atom PDF