Feature #73456
Updated by Helmut Hummel almost 9 years ago
h1. Original report recently I've been studying quite a few resources on cryptography and application security and among others I found the following post: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comp[..] Remembering that Extbase/Fluid has a service class for HMAC calculation/verification I checked the current state and found that it is indeed vulnerable to timing attacks: https://github.com/TYPO3/TYPO3.CMS/blob/f7af0487932dfa119f2490512e9108915f359e37/typo3/sysext/extbase/Classes/Security/Cryptography/HashService.php#L68 https://github.com/TYPO3/TYPO3.CMS/blob/f7af0487932dfa119f2490512e9108915f3[..] To fix this vulnerability at least the PHP function http://php.net/hash_equals should be used. For PHP < 5.6 there is a shim which could be pulled in as Composer dependency: https://packagist.org/packages/indigophp/hash-compat