Project

General

Profile

Task #89952

Updated by Oliver Hader over 4 years ago

The ext:felogin recovery process is using a non-typesafe comparison 
 which might be exploited with a probability of 0.000000294% and is 
 storing the recovery token as plain MD5-hash in database. 

 In order to streamline the process non-typesafe comparison is using 
 PHP's hash_equals() method; for keeping backward compatibility just 
 HMAC-SHA1 is applied to the recovery token in database. 

 Since exploitations to this scenario are very unlikely (for a 50% 
 chance an attacker would have to trigger the creation of around 
 170 million recovery requests) it is not handled with a security 
 workflow - but using the public workflow.

Back