Task #89952: Streamline frontend user password recovery process - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Task #89952

closed

Streamline frontend user password recovery process

Added by Oliver Hader almost 5 years ago. Updated almost 5 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

felogin

Target version:

Start date:

2019-12-15

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

7.2

Tags:

Complexity:

Sprint Focus:

Description

The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.

In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.

Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Task #89952

Streamline frontend user password recovery process

Updated by Gerrit Code Review almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Benni Mack almost 5 years ago