Task #89952
Updated by Oliver Hader almost 5 years ago
The ext:felogin recovery process is using a non-typesafe comparison
which might be exploited with a probability of 0.000000294% and is
storing the recovery token as plain MD5-hash in database.
In order to streamline the process non-typesafe comparison is using
PHP's hash_equals() method; for keeping backward compatibility just
HMAC-SHA1 is applied to the recovery token in database.
Since exploitations to this scenario are very unlikely (for a 50%
chance an attacker would have to trigger the creation of around
170 million recovery requests) it is not handled with a security
workflow - but using the public workflow.