Project

General

Profile

Actions
Copy link

Task #89952

closed

Streamline frontend user password recovery process

Added by Oliver Hader almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2019-12-15
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.2
Tags:
Complexity:
Sprint Focus:

Description

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Actions
Copy link
 #1

Updated by Gerrit Code Review almost 5 years ago

  • Status changed from New to Under Review
Actions
Copy link
 #2

Updated by Oliver Hader almost 5 years ago

  • Private changed from No to Yes
Actions
Copy link
 #3

Updated by Oliver Hader almost 5 years ago

  • Subject changed from <placeholder> to Streamline frontend user password recovery process
Actions
Copy link
 #4

Updated by Oliver Hader almost 5 years ago

  • Description updated (diff)
Actions
Copy link
 #5

Updated by Gerrit Code Review almost 5 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62690

Actions
Copy link
 #6

Updated by Gerrit Code Review almost 5 years ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62691

Actions
Copy link
 #7

Updated by Gerrit Code Review almost 5 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62692

Actions
Copy link
 #8

Updated by Gerrit Code Review almost 5 years ago

Patch set 1 for branch 10.2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62693

Actions
Copy link
 #9

Updated by Oliver Hader almost 5 years ago

  • Category set to felogin
  • Private changed from Yes to No
Actions
Copy link
 #10

Updated by Oliver Hader almost 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Benni Mack almost 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF