Task #89952

Streamline frontend user password recovery process

Added by Oliver Hader 2 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2019-12-15
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
7.2
Tags:
Complexity:
Sprint Focus:

Description

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Associated revisions

Revision 24e9e17a (diff)
Added by Oliver Hader 2 months ago

[TASK] Streamline frontend user password recovery process

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Resolves: #89952
Releases: master, 10.2, 9.5, 8.7
Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62690
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision d9fe9b20 (diff)
Added by Oliver Hader 2 months ago

[TASK] Streamline frontend user password recovery process

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Resolves: #89952
Releases: master, 10.2, 9.5, 8.7
Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62691
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision cff868c1 (diff)
Added by Oliver Hader 2 months ago

[TASK] Streamline frontend user password recovery process

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Resolves: #89952
Releases: master, 10.2, 9.5, 8.7
Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62692
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision d075cdea (diff)
Added by Oliver Hader 2 months ago

[TASK] Streamline frontend user password recovery process

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Resolves: #89952
Releases: master, 10.2, 9.5, 8.7
Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62693
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Gerrit Code Review 2 months ago

  • Status changed from New to Under Review

#2 Updated by Oliver Hader 2 months ago

  • Private changed from No to Yes

#3 Updated by Oliver Hader 2 months ago

  • Subject changed from <placeholder> to Streamline frontend user password recovery process

#4 Updated by Oliver Hader 2 months ago

  • Description updated (diff)

#5 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62690

#6 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62691

#7 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62692

#8 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 10.2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62693

#9 Updated by Oliver Hader 2 months ago

  • Category set to felogin
  • Private changed from Yes to No

#10 Updated by Oliver Hader 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#11 Updated by Benni Mack 2 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF